All Apps and Add-ons

SSL errors when contacting minemeld URL

arisat
Engager

I keep getting this error in my Palo Alto App set up to interrogate a Minemeld URL:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)

However, when I use openssl commands from the Splunk server to check the certificate of the Minemeld-server, it is fine. We use internal CA certificates in addition to the OS defaults (properly configured in the OS, of course).

This leads me to suspect that Splunk or the Palo Alto app does not respect the OS settings. Is there a way to get it to do this, or do I have to start configuring this by hand?

0 Karma

btorresgil
Builder

The App ignores the SSL certs in the OS because it doesn't use the OS's python. It uses Splunk's built-in python for everything, so the CA cert would have to be trusted inside Splunk python. Unfortunately I don't know any way to trust certs in Splunk's python, but maybe Splunk support can help with this?

Right now there isn't an option to disable cert verification in the App because it would fail the security checks in Splunk's certification process.

So, I suggest to solve the problem one of two ways:

  1. RECOMMENDED: Use a cert that is trusted by Splunk's built-in python.
  2. Disabled cert validation by modifying the MineMeld modular input. To do this, edit the file $SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py.

In the get_feed_entries() method, find the line that reads:

resp=helper.send_http_request(
    url=feed_url,
    method='GET',
    parameters={'v': 'json', 'tr': 1},
    headers=feed_headers)

Insert this line between the parameters line and headers line:

   verify=False,

Note that it must be indented the same as the lines around it, and must end with a comma.

We'll try to make this modification easier in a future version. Thanks for your feedback.

0 Karma

simonr2016
New Member

Did you find an answer to this? Go the exact same issue myself.

The OS is happy with the internal CA but Splunk/PA App seems to completely disregard the OS.

0 Karma

arisat
Engager

Nope. Couldn't even figure out if how SSL is handled in the Palo Alto App is being determined by Splunk itself, or the Palo Alto app. So I had no real chance of finding a conf file to set up to include the internal CA.

Sometimes free support is worth every penny you pay for it 🙂

0 Karma

btorresgil
Builder

Sorry for the slow reply. Posted answer below.

0 Karma

arisat
Engager

Alternatively, I am happy to disable SSL verification. I can't find that option in any of the config files, but I may well be missing something.

Honestly, any help is much appreciated.

0 Karma

davidegarofalo
New Member

I modified this file
/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/requests/adapters.py
before line 209
if url.lower().startswith('https') and verify:

i insert this
verify = False

in my splunk it works fine.

bye

0 Karma

micahkemp
Champion

If you consider this the solution to the question asked, consider converting the comment to an answer and accepting it so that this question appears closed.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...