Getting Data In

Splunk serving wrong certificate on tcp-ssl input

konstr
Path Finder

I am facing a weird issue at the moment where I want to set up multiple tcp-ssl inputs and have each input using a different certificate.

The reason for that is that our Heavy Forwarders will be receiving syslog inputs through two separate load-balancers which will not be performing certificate offloading. 

My inputs.conf is as follows.

 

[tcp-ssl:10515]
sourcetype = source1
index = index1
disabled = 0
serverCert = /path to servercert2
sslRootCAPath = /path to rootCA cert

[tcp-ssl:10516]
sourcetype = source2
index = index2
disabled = 0

[tcp-ssl:10517]
sourcetype = source3
index = index3
disabled = 0

[SSL]
requireClientCert= false
serverCert = /path to servercert1
sslRootCAPath = /path to rootCA cert

 

 

Basically I am setting the main certificate that will be used in the [SSL] stanza and then I am overriding that specifically for the [tcp-ssl:10515] stanza. Passwords for both certificates are under the correct stanzas in the local directory. I've also tried to override the certificate in [tcp-ssl:10515] by adding the paths under the local  directory but no luck.

No matter what I do Splunk is serving the certificate under the [SSL] stanza (which I have confirmed by capturing and inspecting the packets). 

 

According to Splunk docs what I'm trying should be possible unless I'm misunderstanding something.

 

[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a
  forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending
  unparsed, encrypted data.
* To create multiple SSL inputs, you can add the following attributes to each
[tcp-ssl:<port>] input stanza. If you do not configure a certificate in the
port, the certificate information is pulled from the default [SSL] stanza:
  * serverCert = <path_to_cert>
  * sslRootCAPath = <path_to_cert> This attribute should only be added
    if you have not configured your sslRootPath in server.conf.
  * sslPassword = <password>

 

 

I've also tried to completely ignore the [SSL] stanza and just add the certificate paths under each input's stanza but I get an error that the inputs cannot start due to the [SSL] stanza not being defined.

 

Any ideas?

Labels (3)

harsmarvania57
Ultra Champion

Looks like this issue is fixed in Splunk 8.0.9

 

2021-02-09 	SPL-199494, SPL-198714 	tcp-ssl input stanza individual ssl certificates not working as documented 
0 Karma

harsmarvania57
Ultra Champion

As you mentioned that you tried to ignore [SSL] stanza, does that mean you removed that [SSL] stanza & it's configuration and configured SSL certificate under each tcp-ssl stanza ?

0 Karma

konstr
Path Finder

Yes, I tried removing the [SSL] stanza completely and include all the information under each port's stanza. That didn't work either and I was getting errors that the [SSL] stanza is missing.

0 Karma

harsmarvania57
Ultra Champion

Replicated this issue, configured below settings and it is not working. I suggest you to raise case with Splunk Support.

 

In inputs.conf

[tcp-ssl:10515]
serverCert = $SPLUNK_HOME/etc/auth/my_certs/splunkso.pem

In server.conf

[sslConfig]

sslRootCAPath = $SPLUNK_HOME/etc/auth/my_certs/rootCA.pem

0 Karma

konstr
Path Finder

I am still looking for an answer on this. Not sure why this is not working as stated in Splunk docs.

0 Karma

BenjaminKTH
New Member

I facing the exact same problem...

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...