I am facing a weird issue at the moment where I want to set up multiple tcp-ssl inputs and have each input using a different certificate.
The reason for that is that our Heavy Forwarders will be receiving syslog inputs through two separate load-balancers which will not be performing certificate offloading.
My inputs.conf is as follows.
[tcp-ssl:10515] sourcetype = source1 index = index1 disabled = 0 serverCert = /path to servercert2 sslRootCAPath = /path to rootCA cert [tcp-ssl:10516] sourcetype = source2 index = index2 disabled = 0 [tcp-ssl:10517] sourcetype = source3 index = index3 disabled = 0 [SSL] requireClientCert= false serverCert = /path to servercert1 sslRootCAPath = /path to rootCA cert
Basically I am setting the main certificate that will be used in the [SSL] stanza and then I am overriding that specifically for the [tcp-ssl:10515] stanza. Passwords for both certificates are under the correct stanzas in the local directory. I've also tried to override the certificate in [tcp-ssl:10515] by adding the paths under the local directory but no luck.
No matter what I do Splunk is serving the certificate under the [SSL] stanza (which I have confirmed by capturing and inspecting the packets).
According to Splunk docs what I'm trying should be possible unless I'm misunderstanding something.
[tcp-ssl:<port>] * Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system. * Set <port> to the port on which the forwarder/third-party system is sending unparsed, encrypted data. * To create multiple SSL inputs, you can add the following attributes to each [tcp-ssl:<port>] input stanza. If you do not configure a certificate in the port, the certificate information is pulled from the default [SSL] stanza: * serverCert = <path_to_cert> * sslRootCAPath = <path_to_cert> This attribute should only be added if you have not configured your sslRootPath in server.conf. * sslPassword = <password>
I've also tried to completely ignore the [SSL] stanza and just add the certificate paths under each input's stanza but I get an error that the inputs cannot start due to the [SSL] stanza not being defined.
As you mentioned that you tried to ignore [SSL] stanza, does that mean you removed that [SSL] stanza & it's configuration and configured SSL certificate under each tcp-ssl stanza ?
Yes, I tried removing the [SSL] stanza completely and include all the information under each port's stanza. That didn't work either and I was getting errors that the [SSL] stanza is missing.
Replicated this issue, configured below settings and it is not working. I suggest you to raise case with Splunk Support.
serverCert = $SPLUNK_HOME/etc/auth/my_certs/splunkso.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/my_certs/rootCA.pem