Installation

Changing default certificate

pdevosceazure
Path Finder

I am trying to get my own CA cert for my instance of Splunk web.
I followed this:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Getthird-partycertificatesforSplunkWeb
this gives me 4 files in my home dir.
pk.pem : private key,
mycert.pem : My cert as given by CA
chain.pem : CA Root + intermediary
fullchain.pem: I made it as mycert.pem + chain.pem

I verify with openssl than chain.pem and mycert.pen returns ok.

then i went to
http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SecureSplunkWebusingasignedcertificate
"mySplunkWebCertificate.pem" it does not say if that's just mycert or the fullchain.
which one should it be?
why are we asked to copy these files in auth/splunkweb while web.conf does not use them?
my web.conf looks like this:
[settings]
enableSplunkWebSSL = 1
httpport = 443
privKeyPath = [/home/foo/certs/pk.pem]
serverCert = [/home/foo/certs/fullchain.pem]

(read [ ] as <> )
when I restart splunk it stays stuck on
Waiting for web server at https://127.0.0.1:443 to be available.

Tags (1)
0 Karma

jworthington_sp
Splunk Employee
Splunk Employee

Doh, I'm sorry, you are right. For CA-signed certificates you do need the chain. They need to be in the following order:

[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]

so maybe the issue is the order in the chain?

I am thinking that if you have
"chain.pem : CA Root + intermediary
fullchain.pem: I made it as mycert.pem + chain.pem"

Then I think this should give you an end result of
[ server certificate]
[ root certificate (if required) ]
[ intermediate certificate]

So you might try troubleshooting by changing that order to the first example see if it helps. It seems odd that your certs would check out okay but not work, but SplunkWeb cert configs can be surprisingly touchy. (Oh, and also make sure you are using the version of OpenSSL provided with Splunk!)

Hope this is a little more helpful.

Cheers,
jen

pdevosceazure
Path Finder

Could not get it working. However replacing cert.pem and privkey.pem directly in /opt/splunk/etc/auth/splunkweb with my fullchain.pem and my private key, renamed as original work OK.

0 Karma

jworthington_sp
Splunk Employee
Splunk Employee

Are you configuring this on 6.5 or later? The attributes for earlier versions are slightly different, so if you are by any chance working in an earlier version, the attributes above will not work.

For serverCert, I would change the value to your mycert.pem file.

0 Karma

pdevosceazure
Path Finder

Yes I am on 6.5 but if I use mycert how does splunk know where the chain certificates are?
actually i tried all of them none work

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...