Splunk Enterprise

SSL Certificate Checker App- How to configure?

coreyCLI
Path Finder

I configured the app however it keeps returning to the setup page.  Easy fix.  Also, I have the ssl_check3.py script work fine and its pulling cert info as expected however the manual (ssl_checker2.py) is failing. I deployed the app via the Deployment server so there is no "local" folder, so no local/ssl.conf either.  I looked at the ssl_check2.py and it looks like its also looking for defaul/ssl.conf however when I manually run the script it returns the error " No such file or directory: '/opt/splunk/etc/apps/ssl_checker/bin/../local/ssl.conf' ".   I tried, just for testing, to create a local/ssl.conf and it returned this error " 'str' object has no attribute 'decode' ".  It also created an empty ssl.conf_tmp in local which I assume is a result of the above error?

coreyCLI
Path Finder

That is the approached I used.  Installed the app on the Deployment server proper, configured, then copied to the shcluster/apps directory to push out to the SH's.  I also moved this configured copy of the app to the DS and CM servers to push to the indexers in the IDX cluster as well the deployment clients respectively.   I am using our Deployment Server to manage a single Heavy Forwarder per splunk best practices.  Not sure what you mean by "not always the best practice"?  There are no UF's in this scenario.

jkat54
SplunkTrust
SplunkTrust

Which is it?

Deployer = for SHC

Deployment Server = for UFs and sometimes HFs

 

 

0 Karma

coreyCLI
Path Finder

I am using all 3.  Deployer for SHC, Deployment for HF and CM for indexers.   The architecture here is sound and being used appropriately.  Not sure where this line of questioning is going?  The issue seems to stem from the python code in ssl_checker2.py not seeing a configured version of ssl.conf in default and not handling a ssl.conf file in local if one exists there as well? 

Architecture aside.  When I installed the app on a standalone box, configured it, it still was producing the " 'str' object has no attribute 'decode' " error and creating an empty ssl.conf_tmp.

This is a Splunk 8.2.0 instance using python 3.7.10

jkat54
SplunkTrust
SplunkTrust

What is in inputs.conf?

0 Karma

coreyCLI
Path Finder

[script://./bin/ssl_checker2.py]
disabled = 0
interval = */60 * * * *

[script://./bin/ssl_checker3.py]
disabled = 0
interval = */60 * * * *

0 Karma

jkat54
SplunkTrust
SplunkTrust

Ok how about ssl.conf?

0 Karma

coreyCLI
Path Finder

[SSLConfiguration]
certPaths = /opt/splunk/etc/apps/appname/fd_certs/, /opt/splunk/etc/slave_apps/appname/fd_certs/

 

This is to cover SH's and indexers as this app is being deployed via the Deployer and the CM.

jkat54
SplunkTrust
SplunkTrust

Ok i see the issue.

The app expects you to provide full file paths to the certs if you're using the manual mode.

You're giving it directory paths instead.

(add the file names to your paths)

0 Karma

coreyCLI
Path Finder

I updated ssl.conf with the path to the pem file instead of just the directory.


SH's output this error.....

No such file or directory: '/opt/splunk/etc/apps/ssl_checker/bin/../local/ssl.conf'

SH's, obviously, since they are getting the app from the Deployer, do not have a local directory.  The ssl.conf file is in default.

Indexers output this error still......

'str' object has no attribute 'decode'

The indexers are getting the app from the CM and do have a local/ssl.conf.

 

Thanks!

0 Karma

jkat54
SplunkTrust
SplunkTrust

i see, so then you'll have to manually drop the ssl.conf file in local or log into each SH individually and configure them via the configuration page.

0 Karma

coreyCLI
Path Finder

Tried that.  Anything that has ssl.conf in the local directory spits out this error message when ssl_checker2.py runs.

'str' object has no attribute 'decode'

 

0 Karma

jkat54
SplunkTrust
SplunkTrust

Did you have the full file paths in the local ssl.conf?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Ok, in the example ssl.conf you shared, it was directories, not paths to pem files.  

Can you share ssl.conf, the version of ssl checker you're using and the version of splunk you are using so that I may try to replicate on my end?

0 Karma

coreyCLI
Path Finder

[SSLConfiguration]
certPaths = /opt/splunk/etc/apps/appname/fd_certs/cert.pem, /opt/splunk/etc/slave_apps/appname/fd_certs/cert.pem

 

I don't currently have webtools installed.  I didn't see that anywhere as a requirement for the ssl checker app?

Splunk Version: 8.2.0

Pythong Version: 3.7.10

0 Karma

jkat54
SplunkTrust
SplunkTrust

Correct, I keep mixing up the name of the app.

Which version of ssl checker are you using?

 

I will test this week and let you know if I have the same issue or not.

0 Karma

coreyCLI
Path Finder

Sounds good, thanks1

4.0.2

0 Karma

jkat54
SplunkTrust
SplunkTrust

Does the slave-apps cert exist on the search heads?  If not; that explains why the code can't find it.

0 Karma

coreyCLI
Path Finder

I have tested on a SH just having the one cert in the ssl.conf file that exists on the search head and it still gives the error........

'str' object has no attribute 'decode'

0 Karma

coreyCLI
Path Finder

yes i do.  Full path down to the pem file.

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you're deploying via deployment server, then you'll want to treat this like we do dbconnect inputs.

Install and configure on a standalone, then copy the configured app to your deployment server and push.

BTW, it requires python so this suggests you're using your DS to manage HFs which is not always the best practice.  If you're deploying to UFs, then it just wont work unless you have a way to make it use the UFs OS level python interpreter.

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...