Splunk < 6.3 版本 SSL 证书过期事宜


问题看起来比较严重,因为所有的实例,包括 forwarder\peernode\indexer\master node 等等都受影响,而且Deployment Server 跟 forwarders 的8089端口也是https,所以必须要采取措施。





Dear Splunk Customer,

Product Advisory: Default root certificates for release 6.2 and prior versions of Splunk Enterprise, Splunk Light and Hunk will expire on July 21, 2016.

产品适用:Splunk Enterprise 6.2及以前版本、Light和Hunk的默认根证书。


Failure to replace the expiring default certificates prior to July 21, 2016 will result in the immediate cessation of network traffic for any connection which uses them.



Please see the below for recommended actions.


Note: You are receiving this notification because you are listed as a support contact for your company on an active support contract with Splunk. If you wish to be removed or replaced as a support contact, please email support@splunk.com.


This article is also posted to Splunk Answers where you can view updates, add comments and read feedback from other Splunk customers.



The default CA SSL certificates shipped with release 6.2 and prior versions (pre-6.3) of Splunk Enterprise, Splunk Light and Hunk will expire on July 21, 2016. If you have configured your Splunk pre-6.3 instances to use the default Splunk Secure Sockets Layer (SSL) certificates, the certificate expiration will have a significant impact for your deployment, and action needs to be taken. See below for additional details on how to check if your deployments are using the default certificates.

Splunk Enterprise、Light和Hunk 6.2及pre-6.3版本自带的CA SSL  证书将在2016年7月21日国企。如果你的Splunk(pre-6.3)配置了默认的SSL证书,证书过期将会对部署造成明显影响,必须采取相应措施。如何检测您的部署是否使用了默认证书,详情参见以下内容。


Expiration of Splunk certificates does not affect: 

  1. Splunk Cloud customers.
    1. SSL certificates used for Splunk Cloud instances are not the default Splunk certificates
    2. Forwarder to Splunk Cloud traffic is not impacted, however, relay forwarders (forwarder to forwarder) can be impacted if you chose to use default certificates for this communication.
  2. Splunk instances that do not use SSL – (this is the default configuration for forwarder to indexer communication).
  3. Splunk instances that use certificates that are internally generated (self-signed) or obtained from an external Certificate Authority (CA).


  1. Splunk instances in your configuration that are upgraded to 6.3 or above and use that version’s root certificates.

升级到Splunk 6.3或者更高版本,并使用该版本证书的Splunk实例。


If you have confirmed (see “Assessing Impact” below to find out how) that your Splunk implementation is impacted, you must take action prior to July 21, 2016.

There are a 3 different courses of action you can take:

  1. Recommended Action: Remain at your current Splunk version (pre-6.3) and amend your implementation to no longer use the default SSL certificates. Please note, as a best practice, we strongly recommend that you use certificates signed by a reputable third-party certificate authority.

While the default certificates will discourage casual snoopers they could still leave you vulnerable, because the root certificate that ships with Splunk is the same root certificate in every download, and anyone with the same root certificate can authenticate.

For more information on best practices of securing Splunk with SSL certificates, see:
Splunk security hardening standards 
About securing your Splunk configuration with SSL

  1. Remain at your current Splunk version (pre-6.3) and manually upgrade the Splunk default root certificates via the provided shell script..
    The script and readme.txt is available at

    Be sure to read the readme.txt included in the zip file before running the script. Ensure careful planning is done prior to upgrading the certificates and test on non-production Splunk instances first.
  2. Upgrade all Splunk instances to 6.3 or higher.

In 6.3 and higher the default certificates expiration dates are May 2025, at which point you will be required to take action. Again, it is best practice to configure Splunk/SSL with certificates signed by a trusted CA.

在Splunk 6.3及更高版本中,证书的有效期持续到2025年5月,届时也会被要求采取动作。同样的,最好的方法是配置Splunk SSL采用可信CA签发的证书。




Failure to replace the expiring pre-6.3 default certificates prior to July 21, 2016 will result in the immediate cessation of network traffic for any connection which uses them.


SSL errors will occur in the Splunk logs when the connections fail due to verification failure in SSL handshake. 

将会在Splunk日志中看到SSL error记录,当SSL握手时出现认证失败导致连接不成功。


Example error:  (错误实例)

2-25-2016 12:36:44.320 +0000 ERROR TcpInputProc - Error encountered for connection from src=nn.nn.nnnnn:40929. error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired


Assessing Impact


The certificate expiry issue will occur on the following deployments:



Pre 6.3 Splunk instances (search heads, indexers, license masters, cluster masters, deployers and forwarders) configured to use the original Splunk default certificates.

6.3版本之前的Splunk 实例(search heads, indexers, license masters, cluster masters, deployers and forwarders),使用了原Splunk默认证书。


The default certificate files are: 





The valid dates on the default CA certificate can be viewed by following method:


$SPLUNK_HOME/bin/splunk cmd openssl x509 -in $SPLUNK_HOME/etc/auth/cacert.pem -text -noout |more


where you will see:



Not Before: Jul 24 17:12:19 2006 GMT 

Not After: Jul 21 17:12:19 2016 GMT


To validate if your deployments are using the default certificates, check the various Splunk config files (outputs.conf/inputs.conf for example) to see if the certificate parameters are set to default certificate files.



For example, a simple forwarder/indexer scenario might look like the below:
(See also: Configure Splunk forwarding to use the default certificate)

比如说,常见的 forwarder/indexer 配置文件像这样:


Indexer: $SPLUNK_HOME/etc/system/local/inputs.conf


rootCA = $SPLUNK_HOME/etc/auth/cacert.pem

serverCert = $SPLUNK_HOME/etc/auth/server.pem

password = password




Forwarder: $SPLUNK_HOME/etc/system/local/outputs.conf
defaultGroup = splunkssl
server =
sslVerifyServerCert = false
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password


To determine if your forwarders are configured to use SSL, use the following search:



index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl


For additional help and the latest discussions, please see posts on Splunk Answers.

更多帮助和最新讨论内容,请参见Splunk Answers的帖子。


Thanks and regards,

Splunk Support Services


posted @ 2016-05-18 15:53  handt  阅读(2167)  评论(0编辑  收藏  举报