I'm trying to configure a new receiving port for SSL encryptet data on my indexer. I've written an inputs.conf and a server.conf file on the indexer, but my indexer is complaining that there is a missing serverCert parameter from the [SSL] stanza. I can't figure out why it's complaining. The error message seems simple enough, but I've double checked the configuration with the documentation, but to no help, everything looks good in my eyes. Does anyone see what's wrong with my configuration, or has any tips on why the indexer is complaining?
inputs.conf
[splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME/etc/path/to/cert/servercert.crt
requireClientCert = true
server.conf
[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/path/to/rootca/rootca.pem
The specific error message from the indexer in splunkd.log:
ERROR TcpInputConfig - SSL context cannot be created due to missing required serverCert parameter from [SSL] stanza. Will not open splunk to splunk (SSL) IPv4 port 9998
Turns out the error was caused by the "$SPLUNK_HOME" variable not being defined. I was sure this variable should be defined by Splunk by default, but this was not the case for this particular server at least. I checked the same variable on some other servers, and there it was defined, so why it hasen't been automatically defined under installation on this server, one can only wonder.
After we fixed the variable and the path became valid and correct, we got another error message, saying that "either the path is wrong or the password is incorrect". This turned out to be an error with the actual certificate which we solved quickly. What's interesting is that the previous error message said that there was a missing parameter, which lead us to troubleshoot the wrong things. If we had got a error message saying something like "path not valid" or "can't find sertificate", this would be a much better indication on what the actual problem was.
Can you please let us know whether key exist in servercert.crt ? If yes then is it encrypted ? If it is encrypted then you need to configure sslPassword parameter.
Turns out the error was caused by the "$SPLUNK_HOME" variable not being defined. I was sure this variable should be defined by Splunk by default, but this was not the case for this particular server at least. I checked the same variable on some other servers, and there it was defined, so why it hasen't been automatically defined under installation on this server, one can only wonder.
After we fixed the variable and the path became valid and correct, we got another error message, saying that "either the path is wrong or the password is incorrect". This turned out to be an error with the actual certificate which we solved quickly. What's interesting is that the previous error message said that there was a missing parameter, which lead us to troubleshoot the wrong things. If we had got a error message saying something like "path not valid" or "can't find sertificate", this would be a much better indication on what the actual problem was.