I am working on adding SSL on forwarders with self signed certificates.
Here is the /etc/system/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = xx.xx.x.xxx:9997
compressed = true
[tcpout-server://xx.xx.x.xxx:9997]
sslRootCAPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myCACertificate.pem
sslCertPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem
sslPassword = <encrypted pass>
Here is the working /etc/system/local/outputs.conf before starting the SSL process.
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = xx.xx.x.xxx:9997
[tcpout-server://xx.xx.x.xxx:9997]
Also made the following changes to etc/system/local/server.conf
[sslConfig]
allowSslCompression = false
allowSslRenegotiation = false
sslKeysfilePassword = <encrypted pass>
sslVersions = tls1.1, tls1.2
sslVersionsForClient = tls1.1, tls1.2
caPath = C:\"Program Files"\SplunkUniversalForwarder\etc\certs
I enabled debug in the splunkd log and pulled out what I believe to be relevant lines.
DEBUG TcpOutputProc - Key file password requires decrypting
DEBUG TcpOutputProc - A value for 'sslVersions' is not present, defaulting to SSL3 and above
ERROR SSLCommon - Can't read certificate file C:\"Program Files"\SplunkUniversalForwarder\etc\certs\myNewServerCertificate.pem errno=33558651 error:0200107B:system library:fopen:Unknown error
Alright, found the problem myself. Even if it's a Windows system, you are not allowed to escape the path (using " "). So in OP's case he would need to modify his path from:
C:\"Program Files"\SplunkUniversalForwarder\etc\certs
to:
C:\Program Files\SplunkUniversalForwarder\etc\certs
We had another problem after this but that was another point.
Skalli
P.S.: Just make sure if you use useClientSSLCompression in your outputs.conf, it also must be specified in your inputs.conf (compression = true) on the receiving end or no connection will be possible. That was the following problem.
Hi, we got the same error message saying:
ERROR SSLCommon - Can't read certificate file "C:\Program Files\SplunkUniversalForwarder\etc\auth\complete_server_client_cert.pem" errno=33558651 error:0200107B:system library:fopen:Unknown error
What is the correct way to determine the path to sslCertPath and sslRootCAPath? Can't find any solution in the web.
Our universal forwarder is trying to forward data to a heavy forwarder. Without ssl being enabled, this just works fine.
Anyone got an idea?
Skalli