Splunk 4.1.5, CentOS 5.5 64-bit
I am trying to configure SSL for forwarding/receiving data, a-la this question: http://answers.splunk.com/questions/397/how-to-configure-ssl-for-forwarding-and-receiving-data
However something is going wrong, and I keep getting the following in the splunk logs at startup:
09-29-2010 11:54:34.501 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 09-29-2010 11:54:34.501 INFO TcpInputProc - supporting SSL v2/v3 09-29-2010 11:54:34.501 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/server.pem 09-29-2010 11:54:34.501 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened 09-29-2010 11:54:34.523 INFO TcpInputProc - port 9998 is reserved for splunk 2 splunk (SSL)
Since I can't get the receiver to work, I haven't bothered trying the forwarder yet, so I will omit that info unless asked. Here is the configuration of the receiver:
[sslConfig] caPath = /opt/splunk/etc/auth certCreateScript = /opt/splunk/bin/genSignedServerCert.py sslKeysfilePassword = <hashed password is here> supportSSLV3Only = true
[SSL] serverCert=/opt/splunk/etc/auth/server.pem password=<unhashed password is here> requireClientCert = false RootCA=/opt/splunk/etc/auth/cacert.pem [splunktcp-ssl:9998] compressed = true
I have tried this with the built-in certs and also regenerating them all with genRootCA.sh and genSignedServerCert.sh. Either way I get the same error on startup. I have tried using "password" with no quotes for both password fields, as well as using a custom password when I generated my own certs. Neither one worked.
I checked permissions and they look fine, and I get errors even if I try to run Splunk as root. I can su to the splunk user and ls/cat the cert files just fine.
ls -la total 36 drwx------ 2 splunk splunk 4096 Sep 29 11:53 . drwxr-xr-x 19 root root 4096 Sep 29 11:40 .. -rw-r--r-- 1 splunk splunk 863 Sep 29 11:50 cacert.pem -rw-r--r-- 1 splunk splunk 963 Sep 29 11:50 cakey.pem -rw-r--r-- 1 splunk splunk 1826 Sep 29 11:50 ca.pem -rw-r--r-- 1 splunk splunk 660 Sep 29 11:50 careq.pem -rw-r--r-- 1 splunk splunk 17 Sep 29 11:53 ca.srl -rw-r--r-- 1 splunk splunk 2673 Sep 29 11:53 server.pem -r-------- 1 splunk splunk 255 Sep 29 11:40 splunk.secret
This is driving me up the wall, any insight into what I am doing wrong would be appreciated!