Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why 1 indexer in a Splunk indexer cluster crashed and won't restart with a "Bad Decrypt" error?

basher590
Engager
‎02-23-2016 04:22 AM

HI,

I have inherited a clustered Splunk setup and I noticed that 1 of my 2 indexers had crashed a couple of days ago.
Trying to restart it yields a Splunk timed out waiting to start error. Looking at the splunkd log I see the following error:

02-22-2016 14:05:35.800 +0000 ERROR SSLCommon - Can't read key file C:\Program Files\Splunk\etc\auth\server.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.

The key file is there and looks OK to me, though I am not sure how I can test it. I did use the OpenSSL command, but received the same message. I tried changing the password in the config file and I receive a "bad password" error, so I know the PW is correct and it is reading the correct file.

There have been no updates or config changes that I am aware of, this 1 indexer server just seemed to crash.

Is it just a case of creating a new certificate on this one indexer, or are there other steps that need to be followed so I don't break the cluster / indexes?

I am running
Splunk Version
6.2.3
Splunk Build
264376

On Windows 2012 R2 servers.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

basher590
Engager
‎03-18-2016 02:53 AM

I got this fixed in the end by creating a new certificate and applying it to the faulty server.
The first restart worked but I received a new error relating to http://127.0.0.1 instead of https, but after another restart it cleared and all was good.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

basher590
Engager
‎03-18-2016 02:53 AM

I got this fixed in the end by creating a new certificate and applying it to the faulty server.
The first restart worked but I received a new error relating to http://127.0.0.1 instead of https, but after another restart it cleared and all was good.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...