Deployment Architecture

SSL configuration causing Mongo issues

sparrowe
Explorer

Hello,

I was hoping for some additional thoughts, after I updated my Search Head to use custom certs I started getting the following error:

ERROR IntrospectionGenerator:resource_usage -  MongoDriver - mongoc: Cannot find certificate in ''

Running Splunk 7.2.3 on Linux

/opt/splunk/bin/splunk btool server list sslConfig
[sslConfig]
allowSslCompression = true
allowSslRenegotiation = true
caCertFile = $SPLUNK_HOME/etc/auth/mycacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
cipherSuite = AES256-GCM-SHA384
ecdhCurves = prime256v1, secp384r1, secp521r1
enableSplunkdSSL = true
requireClientCert = false
sendStrictTransportSecurityHeader = false
serverCert = /opt/splunk/etc/auth/mycerts/.pem
sslPassword = 
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myca.pem
sslVersions = tls1.2
sslVersionsForClient = tls1.2
useClientSSLCompression = true
useSplunkdClientSSLCompression = true

esalesapns2
Path Finder

I was getting this error due to an omission in my certificate. The certificate's "Subject" has no "O=", "OU=", or "DC=" specified. The default certificate created by Splunk uses "O=SplunkUser". Since mine was created with HashiCorp Vault, I don't see a way to get it to add one of those in addition to the "CN=" in the Subject, so I guess I won't be able to use Vault-generated certificates for my kvstore.

0 Karma

Andrew_Callan
Explorer

Are you running this on a STIG-ed machine by any chance?

0 Karma

jsmithn
Path Finder

Having the same problem and yes, on a STIG-ed machine. The error started when enabling FIPS mode, including new SSL certificate (generated w/FIPS enabled and using the "splunk cmd openssl" commands). Any recommendations?

0 Karma

jsmithn
Path Finder

For my issue I discovered I needed to create a [kvstore] stanza in server.conf for FIPS to work.

[kvstore]
caCertFile = path
serverCert = path
sslPassword = password

Tags (1)

Andrew_Callan
Explorer

@jsmithn has it right, this is what I had to do to fix it also.

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

While looking at your configuration, it looks like .pem file name is incorrect for serverCert

It should be like this
serverCert = /opt/splunk/etc/auth/mycerts/yourcert.pem

Also sslPassword = is blank, you need to provide your cert key password.

0 Karma

sparrowe
Explorer

Thanks for your thoughts.

I apologize I was unclear. I purposefully omitted my serverCert name when I pasted the configures. I also changed my real password to the word password surrounded by carrots but it seems the XML on this form removed that.

SSL is working properly for sending and receiving data properly using my custom cert. I'm just not sure what I did to kill mongo DB

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I did below configuration in my lab environment and it is working fine (Splunk 7.2.6)

server.conf

[sslConfig]
sslPassword = $7$blablabla==
serverCert = /opt/splunk/etc/auth/mycert/server_combined.pem
sslRootCAPath = /opt/splunk/etc/auth/mycert/CAcert.pem

In server_combined.pem , below key and cert are present in given order

1.) server cert pem
2.) server cert key
3.) CA cert pem

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...