Reporting

Certificate issues with PDF Server

jts
Engager

I've recently installed the pdfserver application and am having issues getting it to generate PDF documents. When I click on the status page (manager -> system settings -> email alert settings), the image that appears in the blue box (PDF container) displays a firefox certificate warning.

I have started both the splunk version of firefox and the default redhat version of firefox on the server running splunk pdfserver, connected to the same URL (both port 8000 and 8089), and accepted the certificates permanently. Where do I need to accept/import the CA certificate so I can begin generating PDF reports?

Tags (1)

zpavic
Path Finder

Hi jagresz, exactly the same problem here with Splunk 4.3.4 and pdfserver 1.3!
That's because you use Splunk Web on port 443 with SSL. Probably issue in pdfserver script.

To work around this problem, follow only these steps:

  • Issue 1

python.log:

WARNING pdfhandler:551 - Restricting Firefox to following hosts only: *:53 192.168.10.10
WARNING Restricting Firefox to following hosts only: *:53 192.168.10.10

Generated PDF:

Unable to connect

Solution:

In configuration file pdfserver/default/pdf_server.conf** uncomment:

restrict_to_splunkweb = False
  • Issue 2

python.log:

INFO    pdfhandler:558 - Executing /opt/splunk/etc/apps/pdfserver/bin/firefox-i386/firefox -print https://192.168.10.10/en-US/.

Generated PDF:

This Connection is Untrusted

Solution:

In pdfserver script pdfserver/bin/pdfhandler.py** add these code in lines:

383: if port == None: port = 443
664: if target_port == None: target_port = 443

Happy splunking!

jagresz
Explorer

zpavik, thanks for the workaround, it turned out only the previews contained that error page, scheduled pdf reports generated fine... 8-/

0 Karma

jagresz
Explorer

Hi,
Same situation here, I've copied cert_override.txt to the default profile directory, the test pdf generates right, but the dashboard pdf preview contains an untrusted warning only.

This is the python.log during the dashboard pdf preview:

2012-08-22 18:12:31,222 INFO Starting PDF App Renderer Version 1.3

2012-08-22 18:12:31,235 WARNING pdfhandler:458 - body=Splunk;4.3.2;4.3.2

2012-08-22 18:12:31,235 WARNING body=Splunk;4.3.2;4.3.2

2012-08-22 18:12:31,235 WARNING pdfhandler:459 - entries=['Splunk', '4.3.2', '4.3.2']

2012-08-22 18:12:31,235 WARNING entries=['Splunk', '4.3.2', '4.3.2']

2012-08-22 18:12:31,240 INFO xvfb:45 - Started new X server. Now 1 active

2012-08-22 18:12:31,240 INFO Started new X server. Now 1 active

2012-08-22 18:12:31,245 INFO xvfb:205 - Assigned DISPLAY :5

2012-08-22 18:12:31,245 INFO Assigned DISPLAY :5

2012-08-22 18:12:31,245 INFO xvfb:115 - Starting X Server: ['/usr/bin/Xvfb', ':5', '-screen', '0', '3000x768x24', '-nolisten', 'tcp']

2012-08-22 18:12:31,245 INFO Starting X Server: ['/usr/bin/Xvfb', ':5', '-screen', '0', '3000x768x24', '-nolisten', 'tcp']

2012-08-22 18:12:31,245 INFO xvfb:116 - Starting X Server env: {'XAUTHORITY': '/opt/splunk/var/run/splunk/xvfb/xauth-5/Xauthority'}

2012-08-22 18:12:31,245 INFO Starting X Server env: {'XAUTHORITY': '/opt/splunk/var/run/splunk/xvfb/xauth-5/Xauthority'}

2012-08-22 18:12:33,249 INFO xvfb:122 - X Started

2012-08-22 18:12:33,249 INFO X Started

2012-08-22 18:12:33,302 WARNING pdfhandler:419 - Created profile /tmp/tmp43TJBV/.mozilla/firefox/1ngh5dvf.splunk

2012-08-22 18:12:33,302 WARNING Created profile /tmp/tmp43TJBV/.mozilla/firefox/1ngh5dvf.splunk

2012-08-22 18:12:33,308 WARNING pdfhandler:551 - Restricting Firefox to following hosts only: *:53 10.10.5.181

2012-08-22 18:12:33,308 WARNING Restricting Firefox to following hosts only: *:53 10.10.5.181

2012-08-22 18:12:33,308 INFO pdfhandler:558 - Executing /opt/splunk/etc/apps/pdfserver/bin/firefox-x86_64/firefox -print https://(path-to-view) -printmode pdf -printfile /tmp/tmpYJShzA -title Splunk Report -orientation portrait -paperwidth 219 -paperheight 297 -mode splunk -timeout 180 -windowsize 793x768 -footer_right Generated by Splunk at &D -cookie session_id_None=c758a3880a6fa6ab0b413eb324fd62f74db3b16b -P splunk

2012-08-22 18:12:33,308 INFO Executing /opt/splunk/etc/apps/pdfserver/bin/firefox-x86_64/firefox -print https://(path-to-view) -printmode pdf -printfile /tmp/tmpYJShzA -title Splunk Report -orientation portrait -paperwidth 219 -paperheight 297 -mode splunk -timeout 180 -windowsize 793x768 -footer_right Generated by Splunk at &D -cookie session_id_None=c758a3880a6fa6ab0b413eb324fd62f74db3b16b -P splunk

2012-08-22 18:15:34,450 INFO pdfhandler:628 - Generated pdf file. bytes=31423 time=181.14

2012-08-22 18:15:34,450 INFO Generated pdf file. bytes=31423 time=181.14

2012-08-22 18:15:34,453 WARNING pdfhandler:749 - Firefox timed out while waiting for the report to be rendered - Incomplete snapshot generated

2012-08-22 18:15:34,453 WARNING Firefox timed out while waiting for the report to be rendered - Incomplete snapshot generated

2012-08-22 18:15:34,454 WARNING xvfb:132 - Stopping X Server 5

2012-08-22 18:15:34,454 WARNING Stopping X Server 5



In my view the problem is that Firefox creates a profile in the temporary directory (/tmp/tmp43TJBV) instead of splunk user's home, and does nothing with default profile preferencies. There is a cert_override.txt file in this temporary profile, but it has incorrect content and has nothing to do with the default one, therefore gives the browser this cert warning.

I've searched a lot for the solution related to my problem, but this is the only ticket without an answer 😞

Any help would be appreciated! Thanks


Versions:

splunk: 4.3.2, build 123586

pdfserver: 1.3


0 Karma

hotsplunk
New Member

Hi, Experiencing this problem even though I have installed a correct cert_override.txt in the correct directory. testing works fine, yes I have the latest version. only fails and emails me a PDF with the Firefox 'this connection is untrusted' in it, when firing from an alert. Do it by hand, all ok. doing 'ps -ef|grep splunk' reveals correct https url in the params being passed to Firefox e.g. ...x86_64/firefox-bin -print https://NSW-JB-SPLUNK2:443/app/search/@go?sid=scheduler__admin__search_dGVzdCA0NTY_at_1312864440_f88... -printmode pdf ... ANY help appreciated, cheers.

0 Karma

vbumgarner
Contributor

It turns out, the exception doesn't have to be created by splunk's Firefox. You can make the exception on a Firefox on your local machine, find the cert_override.txt, and drop it in.

0 Karma

jts
Engager

Thank you. That worked!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It appears to me (with some debugging) that the certificate override is never called, because the underlying HTTP request object never returns a certificate. It seems to me that as of Splunk version 4.1.3, running PDF server in an SSL-enabled SplunkWeb simply doesn't work.

jrodman
Splunk Employee
Splunk Employee

For new arrivals: with current Splunk (4.1.8/4.2+) with pdfserver ad acquired live from splunkbase, it is at least working for a variety of test cases. I think we're now at the point where we should ensure the current version is in use and then resort to tech support.

0 Karma

Lowell
Super Champion

That's weird. It looks like there is code in pdfhandler.py (notably the function add_cert_exception) to handle certificate overrides, and it seems like it's called whenever a profile is created...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...