Splunk Enterprise

How to fix "missing serverCert parameter from [SSL] stanza" on indexer?

hettervi
Builder

I'm trying to configure a new receiving port for SSL encryptet data on my indexer. I've written an inputs.conf and a server.conf file on the indexer, but my indexer is complaining that there is a missing serverCert parameter from the [SSL] stanza. I can't figure out why it's complaining. The error message seems simple enough, but I've double checked the configuration with the documentation, but to no help, everything looks good in my eyes. Does anyone see what's wrong with my configuration, or has any tips on why the indexer is complaining?

inputs.conf

 

[splunktcp-ssl:9998]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/path/to/cert/servercert.crt
requireClientCert = true

 

 

server.conf

 

[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/path/to/rootca/rootca.pem

 

 

The specific error message from the indexer in splunkd.log:

 

ERROR TcpInputConfig - SSL context cannot be created due to missing required serverCert parameter from [SSL] stanza. Will not open splunk to splunk (SSL) IPv4 port 9998

 

Labels (1)
Tags (3)
0 Karma
1 Solution

hettervi
Builder

Turns out the error was caused by the "$SPLUNK_HOME" variable not being defined. I was sure this variable should be defined by Splunk by default, but this was not the case for this particular server at least. I checked the same variable on some other servers, and there it was defined, so why it hasen't been automatically defined under installation on this server, one can only wonder.

After we fixed the variable and the path became valid and correct, we got another error message, saying that "either the path is wrong or the password is incorrect". This turned out to be an error with the actual certificate which we solved quickly. What's interesting is that the previous error message said that there was a missing parameter, which lead us to troubleshoot the wrong things. If we had got a error message saying something like "path not valid" or "can't find sertificate", this would be a much better indication on what the actual problem was.

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Can you please let us know whether key exist in servercert.crt ? If yes then is it encrypted ? If it is encrypted then you need to configure sslPassword parameter.

0 Karma

hettervi
Builder

Turns out the error was caused by the "$SPLUNK_HOME" variable not being defined. I was sure this variable should be defined by Splunk by default, but this was not the case for this particular server at least. I checked the same variable on some other servers, and there it was defined, so why it hasen't been automatically defined under installation on this server, one can only wonder.

After we fixed the variable and the path became valid and correct, we got another error message, saying that "either the path is wrong or the password is incorrect". This turned out to be an error with the actual certificate which we solved quickly. What's interesting is that the previous error message said that there was a missing parameter, which lead us to troubleshoot the wrong things. If we had got a error message saying something like "path not valid" or "can't find sertificate", this would be a much better indication on what the actual problem was.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...