最近Splunk发出邮件提醒客户SSL证书过期事宜。
问题看起来比较严重,因为所有的实例,包括 forwarderpeernodeindexermaster node 等等都受影响,而且Deployment Server 跟 forwarders 的8089端口也是https,所以必须要采取措施。
官方给出了三个修复方案,方案1)需要自己获取可信的第三方证书,内网难实现。2)使用证书升级脚本;3)升级到6.3或更高的版本。综合看来2)适合应急,3)涉及到系统升级变动最大。
更可怜的是……新版的证书有效期是10年,也就是2025年5月又要来一遍。
以下是官方原文,附个人翻译。
Dear Splunk Customer,
Product Advisory: Default root certificates for release 6.2 and prior versions of Splunk Enterprise, Splunk Light and Hunk will expire on July 21, 2016.
产品适用:Splunk Enterprise 6.2及以前版本、Light和Hunk的默认根证书。
Failure to replace the expiring default certificates prior to July 21, 2016 will result in the immediate cessation of network traffic for any connection which uses them.
如果在2016年7月21日之前不对过期的默认证书进行替换,将导致使用它的所有网络连接流量立即中断。
Please see the below for recommended actions.
Note: You are receiving this notification because you are listed as a support contact for your company on an active support contract with Splunk. If you wish to be removed or replaced as a support contact, please email support@splunk.com.
This article is also posted to Splunk Answers where you can view updates, add comments and read feedback from other Splunk customers.
Summary
The default CA SSL
certificates shipped with release 6.2 and prior versions (pre-6.3) of Splunk Enterprise,
Splunk Light and Hunk will expire on July 21, 2016. If you have configured your
Splunk pre-6.3 instances to use the default Splunk Secure Sockets Layer (SSL)
certificates, the certificate expiration will have a significant impact for
your deployment, and action needs to be taken. See below for additional details
on how to check if your deployments are using the default certificates.
Splunk Enterprise、Light和Hunk 6.2及pre-6.3版本自带的CA SSL 证书将在2016年7月21日国企。如果你的Splunk(pre-6.3)配置了默认的SSL证书,证书过期将会对部署造成明显影响,必须采取相应措施。如何检测您的部署是否使用了默认证书,详情参见以下内容。
Expiration of Splunk certificates does not affect:
- Splunk Cloud customers.
- SSL certificates used for Splunk Cloud instances are not the default Splunk certificates
- Forwarder to Splunk Cloud traffic is not impacted, however, relay forwarders (forwarder to forwarder) can be impacted if you chose to use default certificates for this communication.
- Splunk instances that do not use SSL – (this is the default configuration for forwarder to indexer communication).
- Splunk instances that use certificates that are internally generated (self-signed) or obtained from an external Certificate Authority (CA).
使用内部生成(自签名)或者从外部第三方获取证书的Splunk实例。
- Splunk instances in your configuration that are upgraded to 6.3 or above and use that version’s root certificates.
升级到Splunk 6.3或者更高版本,并使用该版本证书的Splunk实例。
Action
If you have confirmed (see “Assessing Impact” below to find out how) that your
Splunk implementation is impacted, you must take action prior to July 21,
2016.
There are a 3 different courses of action you can take:
- Recommended Action: Remain at your current Splunk version (pre-6.3) and amend your
implementation to no longer use the default SSL certificates. Please note,
as a best practice, we strongly recommend that you use certificates
signed by a reputable third-party certificate authority.
推荐采取的动作:保持当前Splunk版本(pre-6.3),修复当前部署,不再采用默认的SSL证书。请注意,作为最佳实践,我们强烈推荐你使用可信第三方CA签发的证书。
While the default certificates will discourage casual snoopers they could still
leave you vulnerable, because the root certificate that ships with Splunk is
the same root certificate in every download, and anyone with the same root
certificate can authenticate.
默认的根证书还将带来安全问题,因为Splunk自带的根证书在所有用户的下载中都一直,所有使用相同根证书的用户都可以通过认证。
For more information on best practices of securing Splunk with SSL
certificates, see:
Splunk security hardening standards
About
securing your Splunk configuration with SSL
- Remain at your current Splunk version (pre-6.3) and manually
upgrade the Splunk default root certificates via the provided shell script..
保持当前Splunk版本(pre-6.3),利用下面的shell脚本手工升级Splunk默认根证书。
The script and readme.txt is available at
RenewCerts.zip
Be sure to read the readme.txt included in the zip file before running the script. Ensure careful planning is done prior to upgrading the certificates and test on non-production Splunk instances first. - Upgrade all Splunk instances to 6.3 or higher.
将所有的Splunk实例升级到6.3或者更高版本。
In 6.3 and higher the default certificates expiration dates are May 2025, at
which point you will be required to take action. Again, it is best practice to
configure Splunk/SSL with certificates signed by a trusted CA.
在Splunk 6.3及更高版本中,证书的有效期持续到2025年5月,届时也会被要求采取动作。同样的,最好的方法是配置Splunk SSL采用可信CA签发的证书。
Impact
Failure to replace the expiring pre-6.3 default certificates prior to July 21, 2016 will result in the immediate cessation of network traffic for any connection which uses them.
SSL errors will occur in the Splunk logs when the connections fail due to verification failure in SSL handshake.
将会在Splunk日志中看到SSL error记录,当SSL握手时出现认证失败导致连接不成功。
Example error: (错误实例)
2-25-2016 12:36:44.320 +0000 ERROR TcpInputProc - Error encountered for connection from src=nn.nn.nnnnn:40929. error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
Assessing Impact
The certificate expiry issue will occur on the following deployments:
在以下部署环境中将碰到证书过期问题:
Pre 6.3 Splunk instances (search heads, indexers, license masters, cluster masters, deployers and forwarders) configured to use the original Splunk default certificates.
6.3版本之前的Splunk 实例(search heads, indexers, license masters, cluster masters, deployers and forwarders),使用了原Splunk默认证书。
The default certificate files are:
默认证书文件位置:
$SPLUNK_HOME/etc/auth/server.pem
$SPLUNK_HOME/etc/auth/cacert.pem
The valid dates on the default CA certificate can be viewed by following method:
默认CA证书的有效日期可通过以下方式查看:
$SPLUNK_HOME/bin/splunk cmd openssl x509 -in $SPLUNK_HOME/etc/auth/cacert.pem -text -noout |more
where you will see:
Validity
Not Before: Jul 24 17:12:19 2006 GMT
Not After: Jul 21 17:12:19 2016 GMT
To validate if your deployments are using the default certificates, check the various Splunk config files (outputs.conf/inputs.conf for example) to see if the certificate parameters are set to default certificate files.
要验证你的部署是否采用了默认证书,请检查各种Splunk配置文件(例如outputs.conf/inputs.conf)看看证书参数值是否被配置为了默认证书文件
For example, a simple forwarder/indexer
scenario might look like the below:
(See also: Configure
Splunk forwarding to use the default certificate)
比如说,常见的 forwarder/indexer 配置文件像这样:
Indexer: $SPLUNK_HOME/etc/system/local/inputs.conf
[SSL]
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem
password = password
[splunktcp-ssl:9997]
disabled=0
Forwarder: $SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 10.1.12.112:9997
sslVerifyServerCert = false
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
To determine if your forwarders are configured to use SSL, use the following search:
要确认你的forwarder是否配置为采用SSL,请使用以下搜索语句:
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl
For additional help and the latest discussions, please see posts on Splunk Answers.
更多帮助和最新讨论内容,请参见Splunk Answers的帖子。
Thanks and regards,
Splunk Support Services