I am working on adding SSL on forwarders with self signed certificates.
Here is the /etc/system/local/outputs.conf
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = xx.xx.x.xxx:9997 compressed = true [tcpout-server://xx.xx.x.xxx:9997] sslRootCAPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myCACertificate.pem sslCertPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem sslPassword = <encrypted pass>
Here is the working /etc/system/local/outputs.conf before starting the SSL process.
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = xx.xx.x.xxx:9997 [tcpout-server://xx.xx.x.xxx:9997]
Also made the following changes to etc/system/local/server.conf
[sslConfig] allowSslCompression = false allowSslRenegotiation = false sslKeysfilePassword = <encrypted pass> sslVersions = tls1.1, tls1.2 sslVersionsForClient = tls1.1, tls1.2 caPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs
I enabled debug in the splunkd log and pulled out what I believe to be relevant lines.
DEBUG TcpOutputProc - Key file password requires decrypting DEBUG TcpOutputProc - A value for 'sslVersions' is not present, defaulting to SSL3 and above ERROR SSLCommon - Can't read certificate file C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem errno=33558651 error:0200107B:system library:fopen:Unknown error
Hi, we got the same error message saying:
ERROR SSLCommon - Can't read certificate file "C:\Program Files\SplunkUniversalForwarder\etc\auth\complete_server_client_cert.pem" errno=33558651 error:0200107B:system library:fopen:Unknown error
What is the correct way to determine the path to sslCertPath and sslRootCAPath? Can't find any solution in the web.
Our universal forwarder is trying to forward data to a heavy forwarder. Without ssl being enabled, this just works fine.
Anyone got an idea?
Alright, found the problem myself. Even if it's a Windows system, you are not allowed to escape the path (using " "). So in OP's case he would need to modify his path from:
We had another problem after this but that was another point.
P.S.: Just make sure if you use useClientSSLCompression in your outputs.conf, it also must be specified in your inputs.conf (compression = true) on the receiving end or no connection will be possible. That was the following problem.