How to set up SSL for Splunk Server using Let's Encrypt

Posted by Minxuan Sun
Minxuan Sun

In this tutorial, we will use a third-party certificate called Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group.

Splunk Logo

Let’s say you are running a Splunk server with a new self-signed certificate. The self-signed certificate is used to encrypt communication to and from the server. However, some annoying things may happen, such as every time you try to access your Splunk Instance via the web browser, a warning will show up:

 

 

This is because the web browser doesn’t trust the Splunk self-signed certificate. In order to avoid this warning, we can use a trusted third-party certificate instead.

Getting Started

 

Step 1 — Install Let’s Encrypt:

Installation instructions can be found at https://certbot.eff.org/lets-encrypt/centosrhel6-other.

The following commands will install the Let's Encrypt (RedHat / CentOS examples):


wget https://dl.eff.org/certbot-auto

sudo mv certbot-auto /usr/local/bin/certbot-auto

sudo chown root /usr/local/bin/certbot-auto

sudo chmod 0755 /usr/local/bin/certbot-auto


 

Step 2 — Generate certificates and corresponding files:

Run these commands and verify results:


sudo /usr/local/bin/certbot-auto certonly --standalone -d your_domain_name

Then the followings files will be generated and found in /etc/letsencrypt/live/your_domain_name

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

We should set up some permission rules so that the files can be read

chmod 644 cert.pem chain.pem fullchain.pem privkey.pem


 

Step 3 — Place .pem files in a single folder

The purpose of this step is just to place the pem files under the Splunk folder so that they are easy found.


mkdir /opt/splunk/certs/

cp /etc/letsencrypt/live/splunk.query.ai/cert.pem /etc/letsencrypt/live/splunk.query.ai/chain.pem /etc/letsencrypt/live/splunk.query.ai/fullchain.pem /etc/letsencrypt/live/splunk.query.ai/privkey.pem /opt/splunk/certs/


 

Step 4 — Add configurations in web.conf

The web.conf should be located in /opt/splunk/etc/system/local/web.conf.


Add these lines under setting stanza on web.conf:

privKeyPath = /opt/splunk/splunk/certs/privkey.pem

serverCert = /opt/splunk/splunk/certs/fullchain.pem

Restart Splunk by executing

/opt/splunk/bin/splunk restart


Open the Splunk UI URL in the web browser.

The web browser should show the certificate is valid.

 

Step 5 — Add configuration in server.conf

The server.conf should be located in /opt/splunk/etc/system/local/server.conf.


First, we need to create a new file named new_fullchain.pem under '/opt/splunk/splunk/certs/' directory

Then we copy the content of fullchain.pem into new_fullchain.pem

and copy the contents of privkey.pem pasting it in the middle of new_fullchain.pem


There should be three stanzas in new_fullchain.pem: certificate, private key, and certificate.


Add the following lines in server.conf

enableSplunkdSSL = true

serverCert = /opt/splunk/splunk/certs/new_fullchain.pem

sslRootCAPath = /opt/splunk/splunk/certs/chain.pem

Restart Splunk by executing

/opt/splunk/bin/splunk restart

Open your Splunk Server URL in the web browser.

The web browser should show the certificate is valid.

 

Thats its!

You will now be able to securely access your Splunk instance without that annoying certificate error. Happy Splunking!

Click here to learn more about Query.AI and our IRIS app for Splunk. The industries only Security Concierge and a powerful AI analyst's assistant

What did you think?

If you found this helpful or have questions please share thoughts in the comments below.

 

Minxuan Sun

Written by Minxuan Sun

I am a software developer working at Query.AI ( http://query.ai ). Query.AI provides answers and insights on IT and cybersecurity data residing in log and SIEM platforms like Splunk and ELK / Elasticsearch.