Getting Data In

Issue with Self-Signed Certs Windows Splunk Univeral Forwarder to Windows Indexer "PEM routines:PEM_read_bio:no start line."

dwchow
Engager

Hello I get an error when attempting to utilize a self-signed Splunk cert generated from the splunk openssl through the tutorial found here

When after generating the keys I put them in the program files folder under \etc\auth and then my outputs.conf is set appropriately. The forwarder continues to send in clear text and the following error is within splunkd. "ERROR SSLCommon - Can't read key file C:\Program Files\SplunkUniversalForwarder\etc\auth\foocert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line."

I've investigated the pem file and compared it to others. Since it was windows I looked at them cert in both notepad++ and notepad regular and made adjusted line breaks accordingly even without word wrap as an attempt to resolve. I ensured the top of the file included "-----BEGIN CERTIFICATE-----" exactly 5 dashes each with no extra spacing. as well as the footer "-----END CERTIFICATE-----" the key looks like your average normal key. When examining the file with all non-printables notepad++ reports "CR LF" byte codes at each line. The other PEM files seem to have them too; which I suspect should be fine. I would like to use the same certificate pair made for the indexer as the UF; but the I do not have the private key right after the public key in the same pem file. I doubt that would generate the error but then again I'm unsure. Does the 'splunk open ssl' command use in Windows generate a file that needs to be tweaked before utilization? If so please advise.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...