Secure Splunk Web in Five Minutes Using Let’s Encrypt

Configuring SSL for your public facing Splunk instance is time-consuming, expensive and essential in today’s digital environment. Whether you choose to go with a cloud provider or self-hosting; RTFM-ing how to generate the keys correctly and configuring how Splunk should use them can be quite confusing. Last year, a new certificate authority Let’s Encrypt was born in an effort to streamline the CA process and make SSL encryption more widely available to users (The service is FREE). In this short tutorial, we will cover how to make use of this new CA to secure your Splunk instance and stop using self-signed certs.  Using SSL will help you to secure your Splunk instance against MITM attacks. Let’s Encrypt utilizes all of the SSL best practices with none of the frustration.

The only requirements for this five-minute tutorial are:

  • Root/Sudo Access to the server running Splunk Web
  • Ownership of a publicly accessible domain name
  • Internet connectivity for the Splunk server

Configure the domain

One important requirement is for the publicly accessible domain to have an A record associated with the host you are creating a cert for. Additionally the @ record must also route to a publicly accessible server.

Example DNS Settings for AnthonyTellez.com:

dns_config

Install Certbot & Generate Certs

Thanks to EFF there is an easy way to automate the cert process using Certbot.
You can find the exact instructions for getting it installed on your flavor of Linux here: https://certbot.eff.org/
From the drop down you want to select “none of the above” and the operating system you are using.
For this example, we are going to be using Ubuntu 16.04 (Xenial).

Install Certbot on the Splunk server you wish to secure with SSL using: sudo apt-get install letsencrypt

Once installed, use the following command line options for certbot, substituting your domain & subdomain.

$ letsencrypt certonly --standalone -d anthonytellez.com -d splunk-es.anthonytellez.com

At the prompt, fill out your information for key recovery and agree to the TOS.

certbot_inteface

On successful completion, you should see the following message:

cert_bot_good

Take note of the expiration date, you can renew whenever you need to.

Configure Splunkweb

Take a quick peek in /etc/letsencrypt/live/


root@splunk-es:~# cd /etc/letsencrypt/live/anthonytellez.com/
root@splunk-es:/etc/letsencrypt/live/anthonytellez.com# ls
cert.pem chain.pem fullchain.pem privkey.pem

You will see four .pem files, you only need to copy two which are needed for Splunk web SSL (fullchain.pem & privkey.pem). The quickest way to get Splunk configured and remember is to create a directory in /opt/splunk/etc/auth/ In my case, I created a directory using the domain name to keep things simple and memorable.


mkdir /opt/splunk/etc/auth/anthonytellez
cp fullchain.pem privkey.pem /opt/splunk/etc/auth/anthonytellez/
chown -R splunk:splunk /opt/splunk/

Configure Splunk web to make use of the certs in $SPLUNK_HOME/etc/system/local/web.conf:


[settings]
enableSplunkWebSSL = 1
privKeyPath = etc/auth/anthonytellez/privkey.pem
caCertPath = /opt/splunk/etc/auth/anthonytellez/fullchain.pem

Restart Splunk using: ./splunk restart and direct your browser to the https version of Splunk web.

In our example the URL would be: https://splunk-es.anthonytellez.com:8000

splunk_ssl

If you need additional examples, take a peek at docs.splunk.com: Configure Splunk Web to use the key and certificate files.

Thanks for this Anthony! Can’t wait to try it on home Splunk system. I wonder…Will it work if my actual server address uses a dynamic DNS hostname, but I use a CNAME record in my actually public domain to point to the dynamic hostname. Worth a try!

Andrew Dauria
August 15, 2016

Is it possible to use Let’s Encrypt with splunk enterprise on a windows server?
Thanks

Fred Speece
August 16, 2016

Hi Fred,

It looks like it has been marked as an enhancement as of June 2, 2016. Any updates made by EFF to support Windows will likely show up on the github page for Certbot. https://github.com/certbot/certbot/issues/1794

Anthony Tellez
August 16, 2016

Another solid contribution from a genius. Thanks man. Adding this to my to do list cause it’s so clutch.

Burch
August 19, 2016