Deployment Architecture

When ‘requireClientCert = true’ , is set in server.conf, unable to run "splunk reload deploy-server" or "splunk reload auth"

Splunk Employee
Splunk Employee

on splunk server have following set up

server.conf

[sslConfig]
requireClientCert = true

Unable to run: splunk reload deploy-server or splunk reload auth
other CLI commands work okay

Error encountered:

Couldn't request server info: Couldn't complete HTTP request: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
0 Karma
1 Solution

Splunk Employee
Splunk Employee

SSL issue specifically occurs when Splunk CLI needs to login, so can get round it by running another CLI command and logging in, then running splunk reload deploy-server

e.g something like :

$splunk list licenses
Your session is invalid.  Please login.
Splunk username: admin
Password:

Then run:

$splunk reload deploy-server
Reloading serverclass(es).

A more permanent way round this is available in 6.4.4 and due in 6.5.1

Requires additional settings in server.conf, to open an additional non-SSL HTTP REST port, bound to the localhost, and therefore not accessible from outside the machine. Port needs to be a higher number than management port. CLI will then use this local port for communication (non-ssl, but local only) and error no longer occurs

For example:

server.conf

[httpServerListener:127.0.0.1:8090] 
ssl=false

View solution in original post

Splunk Employee
Splunk Employee

SSL issue specifically occurs when Splunk CLI needs to login, so can get round it by running another CLI command and logging in, then running splunk reload deploy-server

e.g something like :

$splunk list licenses
Your session is invalid.  Please login.
Splunk username: admin
Password:

Then run:

$splunk reload deploy-server
Reloading serverclass(es).

A more permanent way round this is available in 6.4.4 and due in 6.5.1

Requires additional settings in server.conf, to open an additional non-SSL HTTP REST port, bound to the localhost, and therefore not accessible from outside the machine. Port needs to be a higher number than management port. CLI will then use this local port for communication (non-ssl, but local only) and error no longer occurs

For example:

server.conf

[httpServerListener:127.0.0.1:8090] 
ssl=false

View solution in original post