Workaround for SSL configuration for users of Firefox 3
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Workaround for SSL configuration for users of Firefox 3
Caution: The workaround described in this topic is not to be used in high-security environments, or any install that uses custom SSL certs. Custom SSL certificates are the only way to solve this issue in a security-conscious manner.
Background
Firefox 3 tightened its security defaults to deny any SSL certificates that are mismatched. By default, Splunk uses a self-signed SSL certificate with the following details:
- Issuer (signing authority): CN=SplunkCommonCA, O=Splunk
- Issued to: CN=SplunkServerDefaultCert, O=SplunkUser
Since SplunkCommonCA is not a trusted CA (like Verisign, Thawte, etc.) and 'SplunkCerverDefaultCert' does not equal 'localhost', this is enough to trigger the security exception.
By adding the Splunk certificate to your browser's exception list, you are asserting that you trust this certificate/hostname combination.
Symptoms
This applies to environments that satisfy all of the following prerequisites:
1. Browsing via Firefox 3
2. Accessing Splunk version 3.2+
3. splunkd is set in server.conf to have enableSplunkdSSL=true
4. Hitting the splunkd management port directly from the browser, i.e. https://localhost:8089/services
- OR -
1. Browsing via Firefox 3
2. Accessing Splunk version 3.0+
3. splunkweb is set in web.conf to have enableSplunkWebSSL=true
4. Hitting Splunk Web from the browser, for example: https://localhost:8000
When accessing the splunkd REST endpoints or SSL-enabled Splunk Web via Firefox 3, the browser returns with an 'invalid security exception' message. There are 2 manifestations of this error message:
Message A:
Message B:
Workaround
Caution: This workaround is not to be used in high-security environments, or any install that uses custom SSL certs. Custom SSL certificates are the only way to solve this issue in a security-conscious manner.
If your error message is like Message B, then you can skip to step 2.
1. Open the Certificate Manager
- Click the 'Firefox' menu.
- Select the 'Preferences' menu item.
- Click the 'Advanced' tab.
- Click the 'Encryption' tab.
- Click the 'View Certificates' button.
2. Add your splunkd certificate to the certificate exceptions
- Click the 'servers' tab
- Click the 'Add Exception...' button
- Copy/paste or type in the full URI of your
splunkd server, for example, https://localhost:8089 - Click the 'Get Certificate' button (at this point, the certificate status page should show some info about the certificate).
- Click the 'Confirm Security Exception' button (You should now be back on the servers tab, with a new Splunk certificate listed).
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.