Configuring SSL for your public facing Splunk instance is time-consuming, expensive and essential in today’s digital environment. Whether you choose to go with a cloud provider or self-hosting; RTFM-ing how to generate the keys correctly and configuring how Splunk should use them can be quite confusing. Last year, a new certificate authority Let’s Encrypt was born in an effort to streamline the CA process and make SSL encryption more widely available to users (The service is FREE). In this short tutorial, we will cover how to make use of this new CA to secure your Splunk instance and stop using self-signed certs. Using SSL will help you to secure your Splunk instance against MITM attacks. Let’s Encrypt utilizes all of the SSL best practices with none of the frustration.
The only requirements for this five-minute tutorial are:
- Root/Sudo Access to the server running Splunk Web
- Ownership of a publicly accessible domain name
- Internet connectivity for the Splunk server
Configure the domain
One important requirement is for the publicly accessible domain to have an A record associated with the host you are creating a cert for. Additionally the @ record must also route to a publicly accessible server.
Example DNS Settings for AnthonyTellez.com:
Install Certbot & Generate Certs
Thanks to EFF there is an easy way to automate the cert process using Certbot.
You can find the exact instructions for getting it installed on your flavor of Linux here: https://certbot.eff.org/
From the drop down you want to select “none of the above” and the operating system you are using.
For this example, we are going to be using Ubuntu 16.04 (Xenial).
Install Certbot on the Splunk server you wish to secure with SSL using: sudo apt-get install letsencrypt
Once installed, use the following command line options for certbot, substituting your domain & subdomain.
$ letsencrypt certonly --standalone -d anthonytellez.com -d splunk-es.anthonytellez.com
At the prompt, fill out your information for key recovery and agree to the TOS.
On successful completion, you should see the following message:
Take note of the expiration date, you can renew whenever you need to.
Configure Splunkweb
Take a quick peek in /etc/letsencrypt/live/
root@splunk-es:~# cd /etc/letsencrypt/live/anthonytellez.com/
root@splunk-es:/etc/letsencrypt/live/anthonytellez.com# ls
cert.pem chain.pem fullchain.pem privkey.pem
You will see four .pem files, you only need to copy two which are needed for Splunk web SSL (fullchain.pem & privkey.pem). The quickest way to get Splunk configured and remember is to create a directory in /opt/splunk/etc/auth/ In my case, I created a directory using the domain name to keep things simple and memorable.
mkdir /opt/splunk/etc/auth/anthonytellez
cp fullchain.pem privkey.pem /opt/splunk/etc/auth/anthonytellez/
chown -R splunk:splunk /opt/splunk/
Configure Splunk web to make use of the certs in $SPLUNK_HOME/etc/system/local/web.conf:
[settings]
enableSplunkWebSSL = 1
privKeyPath = etc/auth/anthonytellez/privkey.pem
caCertPath = /opt/splunk/etc/auth/anthonytellez/fullchain.pem
Restart Splunk using: ./splunk restart and direct your browser to the https version of Splunk web.
In our example the URL would be: https://splunk-es.anthonytellez.com:8000
If you need additional examples, take a peek at docs.splunk.com: Configure Splunk Web to use the key and certificate files.