Installation

Invalid Key: serverCert

erictreesh
Explorer

I'm following the instructions on:
http://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate

After creating the web.conf file as shown when I restart splunk I get the message:
Invalid key in stanza [settings] in /opt/splunk/etc/system/local/web.conf, line 4: serverCert (value: etc/auth/splunkweb/server.pem).

Tags (1)

vgollapudi
Communicator

It can be fixed by adding the key to the spec file located in the README folder.

For example, I did this warning for the serverclass.conf file.

Invalid key in stanza [serverClass:hf_dev_indexer_apps] in /opt/splunk/etc/system/local/serverclass.conf, line 245: targetRepositoryLocation (value: $SPLUNK_HOME/etc/master-apps).

Solution:

This issue is fixed by adding the value to the spec file in the README folder /opt/splunk/etc/system/README/serverclass.conf.spec under the Second Level
targetRepositoryLocation = path

0 Karma

jkat54
SplunkTrust
SplunkTrust

That's a valid key in web.conf under [settings]. I would check to be sure some strange characters didn't get copied in by deleting the entire like and typing it manually.

There's also this app I developed to ease the process, would love any feedback about it:

https://splunkbase.splunk.com/app/3231/

0 Karma

erictreesh
Explorer

The local copy is gone and still getting the 500 error. I did something to break it while I was trying to make the certificates work.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sounds like it's time for a fresh install. Is that an option?

0 Karma

erictreesh
Explorer

I deleted the line and retyped it on another line. Now I get the same error but with a different line number. I would love to try your app but I can't access splunkweb. I changed enableSplunkWebSSL to false and restated. It says the web is available and I can get to the log on screen. However when I enter my creds I get go to a page that says "500 Internal Server Error"

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you just remove your local copy of web.conf & restart?

rm /opt/splunk/etc/system/local/web.conf

For example?

It definitely sounds like you had extra characters in there. When you deleted the line and typed manually, the characters moved to the line below. My suggestion is to remove the web.conf you've created and then start new, manually typing in everything as opposed to a copy and paste from another machine.

0 Karma

erictreesh
Explorer

I discovered that serverCert is the new name for caCertPath. caCertPath is used in the default web.conf and my introducing serverCert is probably causing splunk to be confused.

I put my new certificate in the location pointed to by caCertPath and now splunkweb will start and eventually present me with a login page.

But when I enter my creds,after a period of time I get a "500 Internal Server Error".

0 Karma

jkat54
SplunkTrust
SplunkTrust

Did you try removing your local copy and restarting to see if the 500 error goes away?

0 Karma

erictreesh
Explorer

Thanks for the reply.
I deleted the line and retyped it on a different line. Same error but now on a different line. I'll checkout the app.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...