Installation

Invalid Key: serverCert

erictreesh
Explorer

I'm following the instructions on:
http://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate

After creating the web.conf file as shown when I restart splunk I get the message:
Invalid key in stanza [settings] in /opt/splunk/etc/system/local/web.conf, line 4: serverCert (value: etc/auth/splunkweb/server.pem).

Tags (1)

vgollapudi
Communicator

It can be fixed by adding the key to the spec file located in the README folder.

For example, I did this warning for the serverclass.conf file.

Invalid key in stanza [serverClass:hf_dev_indexer_apps] in /opt/splunk/etc/system/local/serverclass.conf, line 245: targetRepositoryLocation (value: $SPLUNK_HOME/etc/master-apps).

Solution:

This issue is fixed by adding the value to the spec file in the README folder /opt/splunk/etc/system/README/serverclass.conf.spec under the Second Level
targetRepositoryLocation = path

0 Karma

jkat54
SplunkTrust
SplunkTrust

That's a valid key in web.conf under [settings]. I would check to be sure some strange characters didn't get copied in by deleting the entire like and typing it manually.

There's also this app I developed to ease the process, would love any feedback about it:

https://splunkbase.splunk.com/app/3231/

0 Karma

erictreesh
Explorer

The local copy is gone and still getting the 500 error. I did something to break it while I was trying to make the certificates work.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sounds like it's time for a fresh install. Is that an option?

0 Karma

erictreesh
Explorer

I deleted the line and retyped it on another line. Now I get the same error but with a different line number. I would love to try your app but I can't access splunkweb. I changed enableSplunkWebSSL to false and restated. It says the web is available and I can get to the log on screen. However when I enter my creds I get go to a page that says "500 Internal Server Error"

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you just remove your local copy of web.conf & restart?

rm /opt/splunk/etc/system/local/web.conf

For example?

It definitely sounds like you had extra characters in there. When you deleted the line and typed manually, the characters moved to the line below. My suggestion is to remove the web.conf you've created and then start new, manually typing in everything as opposed to a copy and paste from another machine.

0 Karma

erictreesh
Explorer

I discovered that serverCert is the new name for caCertPath. caCertPath is used in the default web.conf and my introducing serverCert is probably causing splunk to be confused.

I put my new certificate in the location pointed to by caCertPath and now splunkweb will start and eventually present me with a login page.

But when I enter my creds,after a period of time I get a "500 Internal Server Error".

0 Karma

jkat54
SplunkTrust
SplunkTrust

Did you try removing your local copy and restarting to see if the 500 error goes away?

0 Karma

erictreesh
Explorer

Thanks for the reply.
I deleted the line and retyped it on a different line. Same error but now on a different line. I'll checkout the app.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...