I keep getting this error in my Palo Alto App set up to interrogate a Minemeld URL:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
However, when I use openssl commands from the Splunk server to check the certificate of the Minemeld-server, it is fine. We use internal CA certificates in addition to the OS defaults (properly configured in the OS, of course).
This leads me to suspect that Splunk or the Palo Alto app does not respect the OS settings. Is there a way to get it to do this, or do I have to start configuring this by hand?
The App ignores the SSL certs in the OS because it doesn't use the OS's python. It uses Splunk's built-in python for everything, so the CA cert would have to be trusted inside Splunk python. Unfortunately I don't know any way to trust certs in Splunk's python, but maybe Splunk support can help with this?
Right now there isn't an option to disable cert verification in the App because it would fail the security checks in Splunk's certification process.
So, I suggest to solve the problem one of two ways:
$SPLUNK_HOME/etc/apps/Splunk_TA_paloalto/bin/input_module_minemeld_feed.py
.In the get_feed_entries()
method, find the line that reads:
resp=helper.send_http_request(
url=feed_url,
method='GET',
parameters={'v': 'json', 'tr': 1},
headers=feed_headers)
Insert this line between the parameters
line and headers
line:
verify=False,
Note that it must be indented the same as the lines around it, and must end with a comma.
We'll try to make this modification easier in a future version. Thanks for your feedback.
Did you find an answer to this? Go the exact same issue myself.
The OS is happy with the internal CA but Splunk/PA App seems to completely disregard the OS.
Nope. Couldn't even figure out if how SSL is handled in the Palo Alto App is being determined by Splunk itself, or the Palo Alto app. So I had no real chance of finding a conf file to set up to include the internal CA.
Sometimes free support is worth every penny you pay for it 🙂
Sorry for the slow reply. Posted answer below.
Alternatively, I am happy to disable SSL verification. I can't find that option in any of the config files, but I may well be missing something.
Honestly, any help is much appreciated.
I modified this file
/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/requests/adapters.py
before line 209
if url.lower().startswith('https') and verify:
i insert this
verify = False
in my splunk it works fine.
bye
If you consider this the solution to the question asked, consider converting the comment to an answer and accepting it so that this question appears closed.