Splunk Enterprise

Splunk web server fails to load when using Internal certificate

Willman42
Explorer

I'm trying to configure SSL encryption for my Splunk Light VM instance.

Here is my web.conf file:

[settings]
enableSplunkWebSSL = 1
httpport = 443
privKeyPath = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.key>
serverCert = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.pem>

Both .key and .pem file are owned by splunk:splunk and have read priv for all. I followed the instructions at (http://wiki.splunk.com/Community:SplunkWeb_SSL_SelfSignedCert_NewRootCA), except for the actual generation and signing of the cert. I have my own Internal CA that I issued the splunk cert with. I created the .pem file by concatenating the splunk.lab.omni.crt file with my CA's .crt file (server first, then root CA).

I dont have enough karma to attach files, so if you want my web_services.log file, I'm not sure how to show it other than a big messy post. I don't see any errors. It acknowledges my .pem and .key files. When I restart splunk, everything passes except at the end it hangs at "Waiting for web server at https://127.0.0.1:443 to be available.." Web access times out, and netstat shows a "CLOSE_WAIT" as the status of my attempted connection.

Any idea what is wrong??

0 Karma

Willman42
Explorer

Actually, it was the <> surrounding the file paths that is the culprit. Removing them fixed the issue.

I had referenced this page (https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate), which shows these brackets surrounding the file paths in the "Configure Splunk Web to use the key and certificate files" section. Perhaps this document should be amended?

lfedak_splunk
Splunk Employee
Splunk Employee

If you can send that pointer to the Docs team they will check it out! There's a box at the bottom of docs pages to submit comments or feedback.

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

PS you can accept your own solution for karma points 🙂

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @Willman42, here's some further documentation. https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/SecureSplunkWebusingasignedcertificate I'm not an expert (just an Answers moderator), but I do see a discrepancy in your enableSplunkWebSSL = 1 line -- it says "true" in the documentation. Hope this helps! If you'd like to include the web_services.log file and can remove any materials that could be privacy sensitive I can attach that for you.

Willman42
Explorer

Also, I tested using a .crt file in the serverCert field of my web.conf file, and it works fine. So Splunk does NOT need a .pem file here, nor does it need the CA's certificate concatenated with it. Perhaps this should be reflected in Splunk documentation as well.

0 Karma

Willman42
Explorer

Oh I see. I'm not sure how it was set to 1 because I never edited that line. I see also in my
$SPLUNK_HOME/etc/system/default/web.conf that it is set to boolean as well. Thanks for the pointer!

0 Karma

bsoarese
Loves-to-Learn Lots

i have the following setup but it still doesn't work , what I am missing,  appreciate suggestion!1

httpport = ( 443, 8000 or not set)

https:// (internal or external):httport

[settings]
enableSplunkWebSSL = ture
httpport = 8000
privKeyPath = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.key>
serverCert = <$SPLUNK_HOME/etc/auth/omniCerts/splunk.lab.omni.pem>

 

./splunk restart splunkd

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...