So my certificates are originally from my Windows root certificate authority. One being the splunk cert which was in .pfx format and the other being the root ca's cert which was a .cer .
I then placed these on the Splunk box running linux (RHEL)and converted them to .pem with openssl. Followed by placing them within the /splunk/etc/certs/ directory and then configuring the output.conf file (client side) and the inputs.conf file (Splunk server side). Afterwards, I restarted the splunk service on the client side and splunk running linux (./splunkd restart) but I keep getting the errors shown below. I just don't understand why I'm getting these errors? (Especially because I setup Https for the web interface and it is working perfect via the use of the SplunkCert and splunk private key which was extracted originally from the .pfx). Any help would be appreciated!!!! Thanks 🙂
View full results
_time message _raw
1 21:23.9 Unable to write to file '/splunk/etc/users/admin/search/history/OracleSplunklocaldomain.csv'. Retried 5 times, period=500 ms. error='No such file or directory' 08-08-2012 16:21:23.915 -0400 ERROR SearchResults - Unable to write to file '/splunk/etc/users/admin/search/history/OracleSplunklocaldomain.csv'. Retried 5 times, period=500 ms. error='No such file or directory'
2 18:14.4 (child_3_Fsck) BucketBuilder - Error reading rawdata at offset=118784: rawdata was truncated 08-08-2012 16:18:14.392 -0400 ERROR ProcessTracker - (child_3_Fsck) BucketBuilder - Error reading rawdata at offset=118784: rawdata was truncated
3 18:14.2 SSL server certificate not found, or password is wrong - SSL ports will not be opened 08-08-2012 16:18:14.232 -0400 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened
4 18:14.2 Can't read key file /splunk/etc/certs/splunkCert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line. 08-08-2012 16:18:14.232 -0400 ERROR SSLCommon - Can't read key file /splunk/etc/certs/splunkCert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
5 12:53.3 Failed to start the search process.
Had the exact same situation. I had the cert and key in 2 separate pem files, it was fixed this by combining the cert and key into one (cat server.key >> server_cert.pem) file and then point the serverCert to this new file in the inputs.conf. Restarted Splunk and it was then successfully listening on new port on SSL (9998 in my case).
Tested by using the command
openssl s_client -connect splunk_receiver_name:9998
I'm seeing the error you mention on a forwarder I have setup on Windows Server 2003, except it reads C:Program Files before the /splunk path. I'm using these cert files on other forwarders, so I don't know what could be wrong with them (or in this case, this particular file), and the path is correct.
Does anyone know why this would be?
You aren't the only one with this problem. Their doc (the one posted above by sdaniels) works fine on the splunk forwarder for linux, but not on Windows (at least on Server 2008 Standard) with version 6.0.2.
I've installed and uninstalled 5 times already this morning and the only good news is that the group that wrote the uninstaller...are brilliant, nothing is left. Maybe they can move over to the ssl side of the house and improve the processes there.
I'm seeing the error you mention on a forwarder I have setup on Windows Server 2003, except it reads C:Program Files before the /splunk path. I'm using these cert files on other forwarders, so I don't know what could be wrong with them (or in this case, this particular file), and the path is correct.
Does anyone know why this would be?
This may help you, have you seen this before?