Solved: Re: After upgrading to 6.5.0, KV Store will not st... - Page 2

jcrabb_splunk · ‎10-05-2016

After upgrading to Splunk Enterprise 6.5.0, the KV Store will not start. On my indexers I see:

10/5/2016, 5:44:56 AM:

Search peer indexer01.domain.local has the following message: Failed to start KV Store process. See mongod.log and splunkd.log for details.

In splunkd.log I find:

10-05-2016 05:44:56.087 +0000 ERROR MongodRunner - mongod exited abnormally (exit code 14, status: exited with code 14) - look at mongod.log to investigate.

Looking in the mongod.log I find:

2016-10-05T05:44:56.753Z W CONTROL  No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter
 2016-10-05T05:44:56.761Z F NETWORK  The provided SSL certificate is expired or not yet valid.
 2016-10-05T05:44:56.761Z I -        Fatal Assertion 28652
 2016-10-05T05:44:56.761Z I -
 ***aborting after fassert() failure

How can this be resolved?

Jacob
Sr. Technical Support Engineer

jcrabb_splunk · ‎10-05-2016

This can happen if the cert used by Splunkd to talk to Mongod has expired. Verify your certs are valid. For example, to validate the expiration date for server.pem you can run:

From $SPLUNK_HOME/etc/auth/

openssl x509 -enddate -noout -in ./server.pem

Results:

notAfter=Dec  10 14:017:25 2015 GMT

In the example above, the cert is expired. If you want to create a new cert you can look at splunk createssl:

$SPLUNK_HOME/bin/splunk help createssl

An example:

$SPLUNK_HOME/bin/splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n server -c cn.domain.com -l 2048

Simply adjust for your environment requirements/settings. Once the new cert is in place, you can test to confirm it is valid:

From $SPLUNK_HOME/etc/auth/

openssl x509 -enddate -noout -in ./server.pem

Results:

notAfter=Aug 22 15:30:45 2019 GMT

If it is now valid, restart Splunk and validate if KVStore is running:

ps -ax | grep mongod

26108 ?        Ssl   62:11 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=200 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --replSet=50D25A40-7DD2-4017-A223-732705AD4A96 --sslAllowInvalidHostnames --sslMode=preferSSL --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx --nounixsocket

And also:

$SPLUNK_HOME/bin/splunk _internal call /services/server/info |grep -i kvstore

<s:key name="kvStoreStatus">ready</s:key>

A third way to check is to run the following search from command line on the instance where you have the "Deployment Management Console / Monitor Console" Configured.

$SPLUNK_HOME/bin/splunk search "| rest /services/server/info splunk_server=* | fields splunk_server, kvStoreStatus"

          splunk_server       kvStoreStatus
    ------------------------- -------------
    indexer01.domain.com      ready
    indexer02.domain.com      ready
    indexer03.domain.com      ready
    indexer04.domain.com      ready
    indexer05.domain.com      ready

Jacob
Sr. Technical Support Engineer

View solution in original post

matthew_hess · ‎12-02-2019

Thanks, worked like a champ!

benwilinski · ‎10-01-2019

This is the fix. Thank you.

ShaunBaker · ‎06-25-2019

Thank you this worked!!

splunksurameric · ‎03-12-2019

Worked for me on Windows 2012. Thank you very much!

julieeball · ‎07-02-2018

Thank you! This worked for me.

a212830 · ‎07-25-2017

This is very helpful. I've never had to deal with setting any keys, so I have no idea what our cn.domain.com should be. I'm sure that it's probably right in front of me. Can someone point me in the right direction?

a212830 · ‎07-25-2017

Never mind. Duh.

ridwanahmed · ‎11-06-2018

I'll ask the question that was in your head originally-- (I've always regenerated by using the method below)-- what IS "cn" in that abstraction?

david_casey · ‎11-04-2016

After upgrading to 6.5 I am getting:

1) "Failed to start KV Store process. See mongod.log and splunkd.log for details."
2) "KV Store changed status to failed. KVStore process terminated."
3) "KV Store process terminated abnormally (exit code 1, status exited with code 1)"

I see nothing in Answers related to this. Help!!

david_casey · ‎11-07-2016

This has been resolved. Somehow during the upgrade to 6.5 the permissions on splunk.key changed. The permissions on the splunk.key file had to be reset as read-only and the search head rebooted. Problem solved. Shout out to Mike Cormier @ Concanon for his assistance!

Update: Typo fixed - splunk.key is the correct file name.

abhishekkalokhe · ‎07-11-2018

How to Do this on Windows ?

ChrisBell04 · ‎07-11-2018

My cliff notes for Windows:
open admin cmd prompt

set OPENSSL_CONF=D:\Splunk\openssl.cnf
D:\Splunk\etc\auth>d:\splunk\bin\splunk createssl server-cert -d . -n server

wcgage · ‎11-15-2016

I am on a MAC and I don't see the kvstore.key file. Where should it be?

isoutamo · ‎03-05-2018

On macOS nodes it is on /Applications/Splunk/var/lib/splunk/kvstore/mongo/splunk.key. Default seems to be rw instead of r and still it working.

david_casey · ‎11-16-2016

/opt/splunk/var/lib/kvstore/mongo/splunk.key

🙂

ndoshi · ‎01-05-2017

To be precise, the file is /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key. Doing a chmod 400 splunk.key did the trick.

damode · ‎10-30-2017

how to do this on Windows ?
I have Splunk on Windows and I checked the file permission, its already set to full control, still, I am getting the KVstore errors.
PLease help

GArienti · ‎11-03-2016

can we watch this and get alerted when it's expiring.
mine expired 2 years ago and until I upgraded to 6.5 it didn't come up...

After upgrading to 6.5.0, KV Store will not start

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life