Getting Data In

How to resolve "ssl23_get_client_hello unknown protocol" error on indexer and "TcpOutputFd Read error" on forwarder?


Hello guys,

I'm using this on deployment-apps (universal forwarder deployment) :

defaultGroup = default-autolb-group

server = indexer:9997

sslCertPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/cacert.pem
sslVerifyServerCert = false

I'm 99% sure sslPassword for my cacert.pem is not 'password', so isn't it working for server.pem instead (default splunk cert) ?

If I use the correct cacert pass, I get ssl23_get_client_hello unknown protocol on indexer and TcpOutputFd Read error on forwarder.

Thanks for your clarification.

0 Karma

Esteemed Legend

Hi realsplunk,
sorry for this detail:
the steps you have to do are:

  • insert correct password in inputs.conf (verify where is the inputs.conf file where there is sslPassword: $SPLUNK_HOME/etc/system/local) on your indexers;
  • restart indexers, password will be encrypted
  • insert correct password in inputs.conf in your TA (in local directory);
  • restart forwarder, password will be encrypted

If you insert outputs.conf in default directory, password will be encrypted in local directory and not encripted in default directory.

0 Karma


So why at we have :

sslPassword =
The password associated with the CAcert.
The default Splunk CAcert uses the password "password".
There is no default value.*

Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...