Update or renew SSL certificates for Nginx, RabbitMQ, or Consul

Secure Sockets Layer (SSL) certificates are automatically updated when you upgrade Splunk SOAR (On-premises) to a new release. In some cases, you many need to manually update the certificates for Nginx, RabbitMQ, or Consul on your Splunk SOAR (On-premises) deployment.

Clustered deployments of Splunk SOAR (On-premises) require RabbitMQ and Consul for internode coordination. Single instance deployments do not.

A management command, update_certificates, can be used to check the status of, and manually update SSL certificates for Nginx, RabbitMQ, and Consul.

Note: The following instructions refer to the self-signed SSL certificates shipped with Splunk SOAR (On-premises). If you want to use custom certificates see Add, remove, or replace certificates from the Splunk SOAR (On-premises) certificate store for more information.

Updating the SSL certificates

To update the SSL certificates for your Splunk SOAR (On-premises) deployment follow these steps:

  1. Connect to your Splunk SOAR (On-premises) deployment using SSH.
  2. Change directory to <PHANTOM_HOME>/bin.
  3. Check the status of your Splunk SOAR (On-premises) SSL certificates. 
    phenv update_certificates status
  4. Stop Splunk SOAR (On-premises) services. In a clustered deployment, do this on each cluster node. 
    ./stop_phantom.sh
  5. Start pgbouncer. In a clustered deployment, do this on each cluster node. 
    ./phsvc start pgbouncer
  6. Update the desired certificates. In a clustered deployment, do this on the primary cluster node. 
    phenv update_certificates refresh --scope <scope> --verbosity 3
  7. (Conditional) In a clustered deployment, update the certificates on each other node. 
    phenv update_certificates refresh --scope <scope> --skip-ca
  8. Start Splunk SOAR (On-premises) services. In a clustered deployment, do this on each cluster node, one at a time. 
    ./start_phantom.sh
Note: This process applies only to the default Splunk SOAR (On-premises) self-signed certificates.
Note: When updating the certificates used by Consul and RabbitMQ, all the cluster nodes need to be stopped before refreshing the certificates. Additionally, the certificates on every node need to be refreshed before any of the nodes are started. Start the node that you shutdown last, first and use the --skip-ca option for all the nodes except the first one.

update_certificates tool options and examples

This table lists the arguments for the management command update_certificates.

Note: The arguments should be placed anywhere after phenv update_certificates. For example, phenv update_certificates --no-color status.
Argument Description
-h, --help Show the help text, then exit.
--scope {nginx, glusterfs, all, consul_and_rabbitmq} Set the scope of the certificates that this command will affect. If no scope is specified, the default is all.
  • all
  • nginx
  • consul_and_rabbitmq
Note: glusterfs is not currently supported.
--no-prompt Set the tool to run without prompting the user for input.
--skip-ca Set the tool to run without getting certificate authority information.
-v {0,1,2,3}, --verbosity {0,1,2,3} Verbosity level:
  • 0 for minimal output
  • 1 for normal output
  • 2 for verbose output
  • 3 for very verbose output
--no-color Don't colorize the command output. This changes the output to also include the log levels DEBUG, INFO, WARNING, or ERROR.
--skip-checks Skip system checks.
Positional Argument Description
refresh Refresh the expiration dates of the specified scope of SSL certificates.
status Output the status of the specified scope of SSL certificates.

Check the status of Splunk SOAR (On-premises) certificates

You can check the status of your Splunk SOAR (On-premises) SSL certificates. 

phenv update_certificates status

For a standalone system, the output looks similar to the following: 

Fetching certificate status for nginx

Nginx ssl certificate:
  Subject: CN=phantom
  Valid until: May 20 2025 at 08:50 AM

For a system with clusters, the output looks similar to the following: 

Fetching certificate status for nginx, consul_and_rabbitmq, and glusterfs

Nginx ssl certificate:
  Subject: CN=phantom
  Valid until: Mar 10 2025 at 07:32 PM

Consul & RabbitMQ ca certificate:
  Subject: CN=PhantomRabbitCA
  Valid until: Dec 04 2032 at 07:58 PM

Consul & RabbitMQ server certificate:
  Subject: O=server,CN=10.1.19.113
  Valid until: Dec 04 2032 at 07:58 PM

Consul & RabbitMQ client certificate:
  Subject: O=client,CN=10.1.19.113
  Valid until: Dec 04 2032 at 07:58 PM

Consul on port 8501 (LIVE):
  Subject: CN = 10.1.19.113, O = server
  Valid until: Dec  4 19:58:23 2032 GMT

RabbitMQ on port 5671 (LIVE):
  Subject: CN = 10.1.19.113, O = server
  Valid until: Dec  4 19:58:23 2032 GMT

GlusterFS ca/server certificate:
  Subject: OU=Gluster,O=Phantom,ST=CA,CN=US
  Valid until: Dec 04 2032 at 07:52 PM

Update the expiration date of Splunk SOAR (On-premises) certificates

This example updates the expiration date of the nginx SSL certificate on a single-instance deployment of Splunk SOAR (On-premises). 

phenv update_certificates --skip-ca -v 2 refresh

Refreshing the following certificates: nginx
Shell command: openssl x509 -in /opt/phantom/etc/ssl/certs/httpd_cert.crt -pubkey -noout
b'-----BEGIN PUBLIC KEY-----'
KEY SIGNATURE APPEARS HERE
b'-----END PUBLIC KEY-----'
Command: /opt/phantom/bin/phsvc restart nginx
Shell command: /opt/phantom/bin/phsvc restart nginx
Stopping NGINX: [  OK  ]
Starting NGINX: [  OK  ]

Nginx certificate refreshed:
Loading cert from /opt/phantom/etc/ssl/certs/httpd_cert.crt

Nginx ssl certificate:
  Subject: CN=phantom
  Valid until: Apr 14 2025 at 07:11 PM

All done!