Hello,
We keep getting the errors from one of our indexers (there are 3 in the cluster, only one is affected):
ERROR TcpInputConfig [60483 TcpListener] - SSL context not found. Will not open splunk to splunk (SSL) IPv4 port 9997
All indexers have the same SSL config:
/opt/splunk/etc/system/local/inputs.conf
[default]
host = z1234
[splunktcp-ssl:9997]
disabled = 0
connection_host = ip
[SSL]
serverCert = /opt/splunk/etc/auth/z1234_server.pem
sslPassword = <password>
requireClientCert = false
sslVersions = tls1.2
We have just found additional input.conf on all indexers: in
/opt/splunk/etc/apps/search/local/inputs.conf
[splunktcp://9997]
connection_host = ip
We deleted this config on all indexers as this is no longer valid and shouldn't be active.
Unfortunately, after splunk restart port 9997 is no longer opened on z1234 host. On other two hosts it is still opened...weird
Any idea what else to check/do to troubleshoot?
Your help will be much appreciated!
Greetings,
Justyna
The solution was to request new cert in company's CA, generate new private key and new certificate chains
The solution was to request new cert in company's CA, generate new private key and new certificate chains