Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to configure SSL even with built-in certs

Docjowles
New Member
‎09-29-2010 06:07 PM

Splunk 4.1.5, CentOS 5.5 64-bit

I am trying to configure SSL for forwarding/receiving data, a-la this question: http://answers.splunk.com/questions/397/how-to-configure-ssl-for-forwarding-and-receiving-data

However something is going wrong, and I keep getting the following in the splunk logs at startup:

09-29-2010 11:54:34.501 INFO  TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
09-29-2010 11:54:34.501 INFO  TcpInputProc - supporting SSL v2/v3
09-29-2010 11:54:34.501 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/server.pem
09-29-2010 11:54:34.501 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened
09-29-2010 11:54:34.523 INFO  TcpInputProc - port 9998 is reserved for splunk 2 splunk (SSL)

Since I can't get the receiver to work, I haven't bothered trying the forwarder yet, so I will omit that info unless asked. Here is the configuration of the receiver:

$SPLUNK_HOME/etc/system/local/server.conf:

[sslConfig]
caPath = /opt/splunk/etc/auth
certCreateScript = /opt/splunk/bin/genSignedServerCert.py
sslKeysfilePassword = <hashed password is here>
supportSSLV3Only = true

$SPLUNK_HOME/etc/apps/search/local/inputs.conf:

[SSL]
serverCert=/opt/splunk/etc/auth/server.pem
password=<unhashed password is here>
requireClientCert = false
RootCA=/opt/splunk/etc/auth/cacert.pem

[splunktcp-ssl:9998]
compressed = true

I have tried this with the built-in certs and also regenerating them all with genRootCA.sh and genSignedServerCert.sh. Either way I get the same error on startup. I have tried using "password" with no quotes for both password fields, as well as using a custom password when I generated my own certs. Neither one worked.

I checked permissions and they look fine, and I get errors even if I try to run Splunk as root. I can su to the splunk user and ls/cat the cert files just fine.

ls -la
total 36
drwx------  2 splunk splunk 4096 Sep 29 11:53 .
drwxr-xr-x 19 root   root   4096 Sep 29 11:40 ..
-rw-r--r--  1 splunk splunk  863 Sep 29 11:50 cacert.pem
-rw-r--r--  1 splunk splunk  963 Sep 29 11:50 cakey.pem
-rw-r--r--  1 splunk splunk 1826 Sep 29 11:50 ca.pem
-rw-r--r--  1 splunk splunk  660 Sep 29 11:50 careq.pem
-rw-r--r--  1 splunk splunk   17 Sep 29 11:53 ca.srl
-rw-r--r--  1 splunk splunk 2673 Sep 29 11:53 server.pem
-r--------  1 splunk splunk  255 Sep 29 11:40 splunk.secret

This is driving me up the wall, any insight into what I am doing wrong would be appreciated!

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎09-30-2010 05:34 PM

Did you restart Splunk after you input the unhashed password? Did you verify using lsof or netstat that the port was not actually open?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-30-2010 04:31 PM

Hexx has done some serious study on this and has a working recipe with SSL mutual auth.

http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...