I am facing a weird issue at the moment where I want to set up multiple tcp-ssl inputs and have each input using a different certificate.
The reason for that is that our Heavy Forwarders will be receiving syslog inputs through two separate load-balancers which will not be performing certificate offloading.
My inputs.conf is as follows.
[tcp-ssl:10515]
sourcetype = source1
index = index1
disabled = 0
serverCert = /path to servercert2
sslRootCAPath = /path to rootCA cert
[tcp-ssl:10516]
sourcetype = source2
index = index2
disabled = 0
[tcp-ssl:10517]
sourcetype = source3
index = index3
disabled = 0
[SSL]
requireClientCert= false
serverCert = /path to servercert1
sslRootCAPath = /path to rootCA cert
Basically I am setting the main certificate that will be used in the [SSL] stanza and then I am overriding that specifically for the [tcp-ssl:10515] stanza. Passwords for both certificates are under the correct stanzas in the local directory. I've also tried to override the certificate in [tcp-ssl:10515] by adding the paths under the local directory but no luck.
No matter what I do Splunk is serving the certificate under the [SSL] stanza (which I have confirmed by capturing and inspecting the packets).
According to Splunk docs what I'm trying should be possible unless I'm misunderstanding something.
[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a
forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending
unparsed, encrypted data.
* To create multiple SSL inputs, you can add the following attributes to each
[tcp-ssl:<port>] input stanza. If you do not configure a certificate in the
port, the certificate information is pulled from the default [SSL] stanza:
* serverCert = <path_to_cert>
* sslRootCAPath = <path_to_cert> This attribute should only be added
if you have not configured your sslRootPath in server.conf.
* sslPassword = <password>
I've also tried to completely ignore the [SSL] stanza and just add the certificate paths under each input's stanza but I get an error that the inputs cannot start due to the [SSL] stanza not being defined.
Any ideas?
Looks like this issue is fixed in Splunk 8.0.9
2021-02-09 SPL-199494, SPL-198714 tcp-ssl input stanza individual ssl certificates not working as documented
As you mentioned that you tried to ignore [SSL] stanza, does that mean you removed that [SSL] stanza & it's configuration and configured SSL certificate under each tcp-ssl stanza ?
Yes, I tried removing the [SSL] stanza completely and include all the information under each port's stanza. That didn't work either and I was getting errors that the [SSL] stanza is missing.
Replicated this issue, configured below settings and it is not working. I suggest you to raise case with Splunk Support.
In inputs.conf
[tcp-ssl:10515]
serverCert = $SPLUNK_HOME/etc/auth/my_certs/splunkso.pem
In server.conf
[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/my_certs/rootCA.pem
I am still looking for an answer on this. Not sure why this is not working as stated in Splunk docs.
I facing the exact same problem...