All,
To start with, I am not good with SSL issues. Second, I inherited this instance of Splunk with no documentation of any kind so I'm reverse engineering everything.
That being said, another team in my company sent me the following notice from Hobbit;
SSL certificate for https://nn.nn.nn.nn:8000/ expires in 9 days
Server certificate:
subject:/CN=<indexer name>/O=SplunkUser
start date: 2011-08-09 20:55:35 GMT
expire date:2014-08-08 20:55:35 GMT
key size:1024
issuer:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
I don't know how they set this up or where they are getting this information. So I get on the server and follow a procedure that I received from Splunk support a while ago to regenerate certs;
If you were using the stock certificates, you can regenerate them with this method :
- to recreate a new splunkweb certificate :
delete (or move) the files $SPLUNK_HOME/etc/auth/splunkweb/cert.pem and privkey.pem
and restart splunk
- to recreate a new splunkd certificate
delete (or move) the files $SPLUNK_HOME/etc/auth/server.pem
and restart splunk
I did this but I'm still seeing the Hobbit message. So I run a grep for "[sslConfig]" to see if I can trace down the issue. What I find is this;
In "etc/system/local/server.conf":
[sslConfig]
sslKeysfilePassword = <secret code>
In "var/run/splunk/merged/server.conf":
[sslConfig]
caCertFile = cacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
enableSplunkdSSL = true
sslKeysfile = server.pem
sslKeysfilePassword = <sceret code>
supportSSLV3Only = false
useClientSSLCompression = true
useSplunkdClientSSLCompression = true
I then look at the "$SPLUNK_HOME/etc/auth/cacert.pem" file and see that it is just over 3 years old. But I don't know if this is where my problem is or not.
What I need to know is how do I check in Splunk what the status is of all my certs, (how old are they etc.) Regenerating what I need will be another issue.
~Ed
I ran the procedure suggested by Splunk support a second time, and it worked. I don't know why. I guess I can blame it on Solar Flares. The message now reads;
SSL certificate for https://nn.nn.nn.nn:8000/ expires in 1095 days
Server certificate:
subject:/CN=<indexer name>/O=SplunkUser
start date: 2014-07-31 14:23:43 GMT
expire date:2017-07-30 14:23:43 GMT
key size:1024
issuer:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
I ran the procedure suggested by Splunk support a second time, and it worked. I don't know why. I guess I can blame it on Solar Flares. The message now reads;
SSL certificate for https://nn.nn.nn.nn:8000/ expires in 1095 days
Server certificate:
subject:/CN=<indexer name>/O=SplunkUser
start date: 2014-07-31 14:23:43 GMT
expire date:2017-07-30 14:23:43 GMT
key size:1024
issuer:/C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/emailAddress=support@splunk.com
What procedure/command do you run to get this output?
That output is produced from Hobbit, not Splunk. Hobbit is a variant of BigBrother. I just realized the date on your question. Well I hope this helps anyway. 😄