Installing an existing certificate on a new Splunk Enterprise installation
If you have an existing SSL certificate - whether from Let's Encrypt or another certificate authority - that you'd like to install on a new Splunk Enterprise instance (or a local development instance), this guide walks you through how to do this with step-by-steps and instructions on what's needed on the local machine. This guide specifically covers using Let's Encrypt with Certbot, but the steps can also be adapted for other certificate providers.
Prerequisites
To perform this process, you'll need a Splunk Enterprise web server with:
- Command line access: Command-line access via SSH or directly to the web server's console.
- Sudo privileges: You'll need to generate files and move them within the file system.
- Splunk web server access: For validation and troubleshooting.
- Certbot installed: Certbot must be installed prior to following these steps.
If Certbot isn’t installed on your server, you can install it using pip3: pip3 install certbot
Generating and installing an SSL certificate with Certbot on Splunk Enterprise
-
Open a terminal connection. If you do not have direct console access, you'll need to open an SSH connection to the Splunk Enterprise host address and login credentials.
ssh username@yourdomainname.dev
-
Change to the SSL files directory for Let's Encrypt. This will make the next command easier so you don't need to add the full path of the files to your command.
cd /etc/letsencrypt/live/yourdomainname.dev/
-
Add a password to the private key of the certificate you are trying to add to your Splunk Enterprise instance. The user private key already exists in
/etc/letsencrypt/live/yourdomainname.dev/
openssl pkcs8 -topk8 -inform PEM -outform PEM -in privkey1.pem -out privkey1.env.pem (interactive) password:password
-
Combine all the file parts of the certificate into a single file named hec.pem. This new hec.pem file will contain the certificate, private key (with password) and full chain.
cat cert1.pem >> hec.pem cat privkey1.env.pem >> hec.pem cat fullchain1.pem >> hec.pem
-
Copy the files to the Splunk folder. This step is needed so the web server can talk to the rest service. Failure to complete this step can result in error due to a handshake failure between the web server and Splunk Enterprise.
cp /etc/letsencrypt/live/yourdomainname.dev/privkey.pem /opt/splunk/etc/auth/splunkweb/ cp /etc/letsencrypt/live/yourdomainname.dev/cert.pem /opt/splunk/etc/auth/splunkweb/
-
Check your work using the
btool check
command:/opt/splunk/bin/splunk btool check /opt/splunk/bin/splunk btool check --debug
-
If everything looks good, start the Splunk Enterprise instance back up:
splunk start /opt/splunk/bin/splunk start
Troubleshooting
To troubleshoot, look at the Splunk web logs to see if any error messages exist. The following error likely indicates an issue with the SSL certificate paths:
Message: splunk.SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /services/authentication/users/admin: _ssl.c:1089: The handshake operation timed out',)
If you see it, recheck the file paths and ensure that the privkey.pem and cert.pem files were correctly copied to the Splunk directory. If you experience issues with the login screen loading, that could also indicate this error.
Next steps
These resources might help you understand and implement this guidance: