Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting heavy forwarder error "TcpInputConfig - SSL server certificate not found, or password is wrong..."?

briangmadden
Explorer
‎01-20-2016 01:03 AM

I need to send data from a security appliance to a Splunk Heavy Forwarder on a listening port using TCP-TLS. Getting the errors below everytime in opt/splunk/var/log/splunk/splunkd.log that Splunk is started.

ERROR    SSLCommon - Can't read key file    /opt/splunk/etc/certs/cert.pem    errno=151441516 error:0906D06C:PEM    routines:PEM_read_bio:no start line.
ERROR    TcpInputConfig - SSL server    certificate not found, or password is    wrong - SSL ports will not be opened
ERROR    TcpInputConfig - SSL context not    found. Will not open raw (SSL) IPv4    port 17814

Here are the steps I followed:

  1. Generated CSR file on my Heavy Forwarder and sent to my certificate provider to have it signed.
  2. Received *.cer back from my certificate provider.
  3. Ran following command to convert *.cer into *.pem: openssl x509 -inform pem -in certificate.cer -outform der -out certificate.pem
  4. Copied cert.pem & InternalRootCA.pem to /opt/splunk/etc/certs

  5. Here is my inputs.conf

    [SSL]
    rootCA = $SPLUNK_HOME/etc/certs/InternalRootCA.pem
    serverCert = $SPLUNK_HOME/etc/certs/cert.pem
    password = ***************
    requireClientCert = false
    [tcp-ssl://17814]
    sourcetype = syslog
    index = **
    Restart Splunk & I get errors:

    ERROR SSLCommon - Can't read key file /opt/splunk/etc/certs/cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
    ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
    ERROR TcpInputConfig - SSL context not found. Will not open raw (SSL) IPv4 port 17814
    The cert folder only includes the two files
    InternalRootCA.pem
    cert.pem

Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎07-19-2018 10:54 AM

The error "ERROR SSLCommon - Can't read key file /opt/splunk/etc/certs/cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line." can be caused if you mistakenly swap the certificate path with the root CA path in the .conf file.

0 Karma
Reply

jplumsdaine22
Influencer
‎01-20-2016 07:54 AM

Have you checked the file permissions on those certificate files? IE does the user Splunk runs as have permissions to read them? You can check the file contents with openssl and verify the keys etc with commands found here as well https://www.sslshopper.com/article-most-common-openssl-commands.html

0 Karma
Reply

briangmadden
Explorer
‎01-20-2016 02:17 PM

I modified all the directory and file permissions to make splunk the owner.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...