Getting Data In

How to configure SSL universal forwarder and receiver?

atixx
New Member

hey

I configure an SSL forward.
But I have this error :

Forwarder - Error :

TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
ERROR SSLCommon - Can't read certificate file /root/ca/requests/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:29:16.110 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

Receiver -error :

08-27-2014 09:42:16.327 +0200 ERROR SSLCommon - Can't read certificate file /root/ca/extern/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:42:16.327 +0200 ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
08-27-2014 09:42:16.327 +0200 ERROR TcpInputConfig - SSL context not found. Will not open splunk 2 splunk (SSL) IPv4 port 1000

In receiver :

/root/ca/extern/:
-rw------- 1 root root 1919 Aug 27 08:25 cacert.pem
-rw------- 1 root root 1751 Aug 27 08:25 splunk3-key.pem

inputs.conf

[splunktcp-ssl://1000]
    compressed = true
    connection_host = 1.1.1.1
    queueSize=1MB
    persistentQueueSize=4GB
    _TCP_ROUTING = splunk3-ad

[SSL]
    password = my_password
    requireClientCert = false
    rootCA = /root/ca/extern/cacert.pem
    serverCert = /root/ca/extern/splunk3-key.pem

In forwarder :

/root/ca/requests:
-rw-r--r-- 1 root root  960 Aug 27 08:15 splunk3-cert.csr
-rw-r--r-- 1 root root    0 Aug 27 08:16 splunk3-cert.pem
-rw-r--r-- 1 root root 1751 Aug 27 08:12 splunk3-key.pem

outputs.conf

[tcpout]
    backoffOnFailure = 5
    channelReapInterval = 60000
    channelReapLowater = 10
    channelTTL = 60
    compressed = true
    defaultGroup = syslog-ad,file-rweb
    dnsResolutionInterval = 300
    negotiateNewProtocol = true
    readTimeout = 900
    useACK = true
    writeTimeout = 5
    indexAndForward = 0

[tcpout:syslog-ad]
    server = 2.2.2.2:1000
    maxQueueSize = 10MB
    dropEventsOnQueueFull = -1
    sslCertPath = /root/ca/requests/splunk3-key.pem
    sslPassword = my_password
    sslRootCAPath = /root/ca/cacert.pem
    usesslCompression = true
    sslVerifyServerCert = false
    #useClientSSLCompression = true

Someone have any ideas ?

Thanks

0 Karma

DerekKing
Path Finder

Hi,

I'm not sure on your specific error, but it could be down to missing or incorrectly placed private keys.

Have a look at this wiki, and see if it helps. I'm sure someone more educated than me will be along to help with more specifics soon.

http://wiki.splunk.com/Community:SplunkWeb_SSL_SelfSignedCert_NewRootCA

Regards
Derek

DerekKing
Path Finder

Have you generated the private key on the right server ? It looks to me like you generated it on the forwarder ?

The key generation should be done on the Indexer I believe.

Derek

0 Karma

atixx
New Member

I try this :

mkdir mycerts
export OPENSSL_CNF=/opt/splunkforwarder/openssl/openssl.cnf 
cd mycerts/
openssl genrsa -des3 -out myCAKey.key 2048
openssl req -new -key myCAKey.key -out myCACert.csr
openssl x509 -req -in myCACert.csr -signkey myCAKey.key -out myCACert.pem -days 3650
openssl genrsa -des3 -out slk-private.key 2048
openssl rsa -in slk-private.key -out slk-private.key 
openssl rsa -in slk-private.key -text
openssl req -new -key slk-private.key -out slk-Cert.csr 
openssl x509 -req -in slk-Cert.csr -CA myCACert.pem -CAkey myCAKey.key -CAcreateserial -out slk-Cert.pem -days 1095
cat slk-Cert.pem myCACert.pem > slk-conc-Cert.pem 

And in conf file (outputs), modifying path :

sslCertPath = /opt/splunkforwarder/etc/auth/mycerts/slk-conc-Cert.pem
sslPassword = my_password_no_hash
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/myCACert.pem

Logs outputs / errors :

08-27-2014 11:33:03.403 +0200 ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/auth/mycerts/slk-conc-Cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
08-27-2014 11:33:03.403 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

Old erros with old certificates :

TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
ERROR SSLCommon - Can't read certificate file /root/ca/requests/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:29:16.110 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

It's better than before, but not working.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...