Update or renew SSL certificates for Nginx or RabbitMQ
Secure Sockets Layer (SSL) certificates are automatically updated when you upgrade Splunk SOAR (On-premises) to a new release. In some cases, you many need to manually update the certificates for Nginx or RabbitMQ on your Splunk SOAR (On-premises) deployment.
Clustered deployments of Splunk SOAR (On-premises) require RabbitMQ for internode coordination. Single instance deployments do not.
You can use the update_certificates management command to check the status of, and manually update SSL certificates for Nginx and RabbitMQ.
Note: The following instructions refer to the self-signed SSL certificates shipped with Splunk SOAR (On-premises). If you want to use custom certificates see Add, remove, or replace certificates from the Splunk SOAR (On-premises) certificate store for more information.
Updating the SSL certificates
To update the SSL certificates for your Splunk SOAR (On-premises) deployment follow these steps:
- Connect to your Splunk SOAR (On-premises) deployment using SSH.
- Change directory to <PHANTOM_HOME>/bin.
- Check the status of your Splunk SOAR (On-premises) SSL certificates.
CODE
phenv update_certificates status - Stop Splunk SOAR (On-premises) services. In a clustered deployment, do this on each cluster node.
CODE
./stop_phantom.sh - Start pgbouncer. In a clustered deployment, do this on each cluster node.
CODE
./phsvc start pgbouncer - Update the desired certificates. In a clustered deployment, do this on the primary cluster node.
CODE
phenv update_certificates refresh --scope <scope> --verbosity 3 - (Conditional) In a clustered deployment, update the certificates on each other node.
CODE
phenv update_certificates refresh --scope <scope> --skip-ca - Start Splunk SOAR (On-premises) services. In a clustered deployment, do this on each cluster node, one at a time.
CODE
./start_phantom.sh
Note: This process applies only to the default Splunk SOAR (On-premises) self-signed certificates.
Note: When updating the certificates used by RabbitMQ, all the cluster nodes need to be stopped before refreshing the certificates. Additionally, the certificates on every node need to be refreshed before any of the nodes are started. Start the node that you shutdown last, first and use the
--skip-ca option for all the nodes except the first one.
update_certificates tool options and examples
This table lists the arguments for the management command update_certificates.
Note: The arguments should be placed anywhere after
phenv update_certificates. For example, phenv update_certificates --no-color status.
| Argument | Description |
|---|---|
| -h, --help | Show the help text, then exit. |
| --scope {nginx, glusterfs, all, rabbitmq} | Set the scope of the certificates that this command will affect. If no scope is specified, the default is all.
Note: glusterfs is not currently supported.
|
| --no-prompt | Set the tool to run without prompting the user for input. |
| --skip-ca | Set the tool to run without getting certificate authority information. |
| -v {0,1,2,3}, --verbosity {0,1,2,3} | Verbosity level:
|
| --no-color | Don't colorize the command output. This changes the output to also include the log levels DEBUG, INFO, WARNING, or ERROR. |
| --skip-checks | Skip system checks. |
| Positional Argument | Description |
| refresh | Refresh the expiration dates of the specified scope of SSL certificates. |
| status | Output the status of the specified scope of SSL certificates. |
Check the status of Splunk SOAR (On-premises) certificates
You can check the status of your Splunk SOAR (On-premises) SSL certificates.
CODE
phenv update_certificates statusFor a standalone system, the output looks similar to the following:
CODE
Fetching certificate status for nginx
Nginx ssl certificate:
Subject: CN=phantom
Valid until: May 20 2027 at 08:50 AMFor a system with clusters, the output looks similar to the following:
CODE
Fetching certificate status for nginx, rabbitmq, and glusterfs
Nginx ssl certificate:
Subject: CN=phantom
Valid until: Mar 10 2027 at 07:32 PM
RabbitMQ ca certificate:
Subject: CN=PhantomRabbitCA
Valid until: Dec 04 2032 at 07:58 PM
RabbitMQ server certificate:
Subject: O=server,CN=10.1.19.113
Valid until: Dec 04 2032 at 07:58 PM
RabbitMQ client certificate:
Subject: O=client,CN=10.1.19.113
Valid until: Dec 04 2032 at 07:58 PM
RabbitMQ on port 5671 (LIVE):
Subject: CN = 10.1.19.113, O = server
Valid until: Dec 4 19:58:23 2032 GMT
GlusterFS ca/server certificate:
Subject: OU=Gluster,O=Phantom,ST=CA,CN=US
Valid until: Dec 04 2032 at 07:52 PMUpdate the expiration date of Splunk SOAR (On-premises) certificates
This example updates the expiration date of the nginx SSL certificate on a single-instance deployment of Splunk SOAR (On-premises).
CODE
phenv update_certificates --skip-ca -v 2 refresh
PYTHON
Refreshing the following certificates: nginx
Shell command: openssl x509 -in /opt/phantom/etc/ssl/certs/httpd_cert.crt -pubkey -noout
b'-----BEGIN PUBLIC KEY-----'
KEY SIGNATURE APPEARS HERE
b'-----END PUBLIC KEY-----'
Command: /opt/phantom/bin/phsvc restart nginx
Shell command: /opt/phantom/bin/phsvc restart nginx
Stopping NGINX: [ OK ]
Starting NGINX: [ OK ]
Nginx certificate refreshed:
Loading cert from /opt/phantom/etc/ssl/certs/httpd_cert.crt
Nginx ssl certificate:
Subject: CN=phantom
Valid until: Apr 14 2025 at 07:11 PM
All done!