Securing Splunk web interface with Let’s Encrypt

   Posted by: Dante   in General

The availability of Let’s Encrypt across most modern browsers’ trusted stores is pretty awesome. Combine that with an easy to use interface for generating/renewing certificates and you’ve got a winning platform.

Today we’ll look into generating a certificate with Let’s Encrypt to secure a Splunk Enterprise installation. This howto assumes a couple things:

  1. Splunk is installed under /opt/splunk
  2. Let’s Encrypt binaries are under /opt/letsencrypt

Let’s get started! First make a backup of current certs under /opt/splunk/etc/auth/splunkweb (privkey.pem and cert.pem). To do this, we’ll use the standalone temporary webroot feature from Let’s Encrypt, which will listen on port 80 for incoming connections to validate the domain/host. Make sure that’s open. Run ‘letsencrypt-auto certonly’ from the Let’s Encrypt folder, then select the temporary webserver option. Your new certs should be generated under the /etc/letsencrypt/live folder.

Next up we’ll simply link the generated certs to the Splunk folders. With default folders in consideration, do this:

  • cd /opt/splunk/etc/auth/splunkweb
  • ln -s /etc/letsencrypt/live/ (YOUR HOST) /privkey.pem ./privkey.pem
  • ln -s /etc/letsencrypt/live/ (YOUR HOST) /fullchain.pem ./cert.pem

After that, log into the Splunk interface on port 8000 (default) and go to the Administration section, then enable SSL for the Splunk Web component. After a server restart, it should start serving SSL content over port 8000.

Leave a comment if you had any issues or suggestions!

Tags: , ,

This entry was posted on Tuesday, April 26th, 2016 at 4:38 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a reply

Name (*)
Mail (will not be published) (*)