Hello
im trying to enable https on my server.
im getting the "splunk https site not secure" msg.
also the ssl is enabled under server settings
this is my web.conf file:
[settings]
enableSplunkWebSSL = trueprivKeyPath = /opt/splunk/etc/auth/wildkey.key
serverCert = /opt/splunk/etc/auth/wildkey.pem
httpport = 8000
when removing the remarks from the rows splunk does not starts
what im doint wrong ?
Hi @sarit_s,
Hope you're well, to enable https without your own certs use this :
[settings]
enableSplunkWebSSL = true
If you want to add your own certs please follow this guide step by step to be sure you're not missing anything :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/SecureSplunkWebusingasignedcertificate
And here is the documentation for creating your own certs for Splunk :
https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/AboutcreatingcertificatesforSplunk
Please let me know if you're stuck anywhere.
Cheers,
David
Hi David,
thanks
this is exactly what i did but when trying to start splunk the service is up and web not starts
you added this and it's not working ?
[settings]
enableSplunkWebSSL = true
Please check what errors you're getting in /opt/splunk/var/log/splunk/splunkd.log and post it here, we should be able to solve the problem with that
this is what i see:
HttpListener - Socket error from 10.11.44.171:65337 while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read finished A', alert_description='certificate unknown'.
SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate unknown'.
X509Verify - X509 certificate (O=SplunkUser,CN=usnv02splunk01) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:
Check if anything is pointing to Splunk's default certs and make sure that your certs are the ones that Splunk is pointing to :
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool outputs list --debug
$SPLUNK_HOME/bin/splunk cmd btool server list --debug
i see this:
/opt/splunk/etc/system/default/server.conf serverCert = $SPLUNK_HOME/etc/auth/server.pem
/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/appsLicenseCA.pem
these are the defaults right ? Did you try replacing with you own files ?
no.. should i ?
the defaults is not for examples ?
If you uncommented this then you should be using your own set of keys :
#privKeyPath = /opt/splunk/etc/auth/wildkey.key
#serverCert = /opt/splunk/etc/auth/wildkey.pem
this is what im trying to do but when im uncommented it splunk web does not start
it is working. it was a problem with the cert file
haha... that explains the alert_description='certificate unknown'.
😄 good job !
thanks David for all your help !
most welcome ! Please upvote or accept if it's helpful ! ^^
Please try web.conf with following settings. Also ensure the certs are "generated by Valid authority" for browser to identify. The self-signed certs may show errors depending on the browser
I'm guessing your wildkey.key format may be incorrect or is encrypted?
web.conf
[settings]
enableSplunkWebSSL = true
# absolute paths may be used here. and pem format for priv keys
privKeyPath = $SPLUNK_HOME/etc/auth/myprivatekey.pem
serverCert = $SPLUNK_HOME/etc/auth/mycacert.pem
sslPassword = <password_if_key_is_encrypted>
Your server.conf also needs sslConfig setup
thanks
this is the config i have is server.conf
[sslConfig]
sslPassword =
what pass is it , do you know ? should i change it ?
also, can you please guide me how to create the certificate so it will be acceptable by the browser ? it is not me who creates the certs and i want to guide the relevant guy
certificate needs to be created by authorised authority , if it has to be valid in a browser. Please have a read on: https://en.wikipedia.org/wiki/Certificate_authority . . Your organisation may already have a team to do this and liase with a Certificate Authority (CA) already