TCP-SSL ERROR SSL context not found. Splunk not li...

hketer · ‎10-04-2023

Hey All 🙂

I've configured tcp-ssl on HF, created certificates and the following configuration.
The HF receive syslog from third-party, I'll send the third party company the CA (combined certificat) I created based on these docs:
1. How to create and sign your own TLS certificates
2. Create a single combined certificate file

inputs.conf
[tcp-ssl://2222]
index = test
sourcetype = st_test

[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\mycerts\myServerCertificate.pem
sslPassword = <Server.key password>
sslRootCAPath = C:\Program Files\Splunk\etc\auth\mycerts\myCertAuthCertificate.pem

Server.conf
[sslconfig]
sslPassword = <password encrypted that I didn't configured>

And yet Splunk isn't listening to the requested port for example 2222

What am I missing?

The error I get in Splunk _internal is:
SSL context not found. Will not open raw (SSL) IPv4 port 2222

Please assist, and Thank YOU!!!

PickleRick · ‎10-06-2023

Check logs more "backwards" to see earlier errors. Maybe you mistyped file paths, maybe the password was wrong...

_JP · ‎10-06-2023

A couple steps to troubleshoot:

- If you remove the SSL, can you get Splunk to startup and listen on that port?

- Are your paths 100% correct - this could be related to a typo in the path/filename.

- Do your certificates have the correct permissions so Spunk can see them?

As a side note, Splunk will auto-encrypt passwords like that in your .conf files. You'll see the following wording for values it does this with in the documentation (e.g. inputs.conf sslPassword documentation)

Upon first use, the input encrypts and rewrites the password

TCP-SSL ERROR SSL context not found. Splunk not listening the configured port.

heavy forwarder

inputs.conf

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!