Monitoring Splunk

Updated server.conf cert, fixed 8088 TLS, but broke web gui

jwhitene
New Member

We needed to install a vendor signed cert so that we could stream info to Splunk into a HTTP Event Collector.

So I make a csr with openssl, got a vendor cert, copied the private key+public cert+intermediate+root into a server.pem file, and added that and the password into server.conf.

sslPassword = xxxxx
serverCert = /opt/splunk/etc/auth/server.pem
enableSplunkdSSL = true
-ca was already there, I just left it.

sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

Restarted.

The splunk HTTP event collector port was functional and had no errors starting up. We were able to verify that the cert appeared to be installed correctly. openssl s_client -connect localhost:8088 returned the cert no problem. Our streaming service was able to connect and gets a 200 OK back from Splunk.

However, now the web gui is broken. The user/pass prompt screen comes up, but after you login, it gives you a 500 error. Even in --debug mode, none of the logs in var/log/splunk say anything about the 500 error.

What might be the issue here? Does web.conf need to use the same cert I put into server.conf? Does the server.conf cert need to be trusted in a keystore somewhere?

thanks.

Tags (3)
0 Karma

jwhitene
New Member

I figured it out. Well, at least one way to make it work.

Instead of editing server.conf, I added a http section in inputs.conf. That worked to secure the HEC without breaking the web gui

inputs.conf
[http]
disabled = 0
index = main
enableSSL = 1
sslPassword = xxxxxx
serverCert = my-full-pem-chain.pem

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Great, you can accept your own answer so that it will be helpful for other community member in future.

0 Karma

jwhitene
New Member

I figured it out. Well, at least one way to make it work.

Instead of editing server.conf, I added a http section in inputs.conf. That worked to secure the HEC without breaking the web gui

inputs.conf
[http]
disabled = 0
index = main
enableSSL = 1
sslPassword = xxxxxx
serverCert = my-full-pem-chain.pem

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

You need to provide your vendor intermediate and root cert in separate .pem file like externalCA.pem and point that cert in sslRootCAPath parameter in server.conf

0 Karma

deepashri_123
Motivator

Hey@jwhitene,

You can refer this answer:
https://answers.splunk.com/answers/170065/why-am-i-getting-the-following-error-logging-into.html

Let me know if this helps!!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...