Solved: How to fix "missing serverCert parameter from [SSL...

hettervik · ‎08-14-2020

I'm trying to configure a new receiving port for SSL encryptet data on my indexer. I've written an inputs.conf and a server.conf file on the indexer, but my indexer is complaining that there is a missing serverCert parameter from the [SSL] stanza. I can't figure out why it's complaining. The error message seems simple enough, but I've double checked the configuration with the documentation, but to no help, everything looks good in my eyes. Does anyone see what's wrong with my configuration, or has any tips on why the indexer is complaining?

inputs.conf

[splunktcp-ssl:9998]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/path/to/cert/servercert.crt
requireClientCert = true

server.conf

[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/path/to/rootca/rootca.pem

The specific error message from the indexer in splunkd.log:

ERROR TcpInputConfig - SSL context cannot be created due to missing required serverCert parameter from [SSL] stanza. Will not open splunk to splunk (SSL) IPv4 port 9998

hettervik · ‎08-20-2020

Turns out the error was caused by the "$SPLUNK_HOME" variable not being defined. I was sure this variable should be defined by Splunk by default, but this was not the case for this particular server at least. I checked the same variable on some other servers, and there it was defined, so why it hasen't been automatically defined under installation on this server, one can only wonder.

After we fixed the variable and the path became valid and correct, we got another error message, saying that "either the path is wrong or the password is incorrect". This turned out to be an error with the actual certificate which we solved quickly. What's interesting is that the previous error message said that there was a missing parameter, which lead us to troubleshoot the wrong things. If we had got a error message saying something like "path not valid" or "can't find sertificate", this would be a much better indication on what the actual problem was.

View solution in original post

harsmarvania57 · ‎08-19-2020

Can you please let us know whether key exist in servercert.crt ? If yes then is it encrypted ? If it is encrypted then you need to configure sslPassword parameter.

hettervik · ‎08-20-2020

Turns out the error was caused by the "$SPLUNK_HOME" variable not being defined. I was sure this variable should be defined by Splunk by default, but this was not the case for this particular server at least. I checked the same variable on some other servers, and there it was defined, so why it hasen't been automatically defined under installation on this server, one can only wonder.

After we fixed the variable and the path became valid and correct, we got another error message, saying that "either the path is wrong or the password is incorrect". This turned out to be an error with the actual certificate which we solved quickly. What's interesting is that the previous error message said that there was a missing parameter, which lead us to troubleshoot the wrong things. If we had got a error message saying something like "path not valid" or "can't find sertificate", this would be a much better indication on what the actual problem was.

How to fix "missing serverCert parameter from [SSL] stanza" on indexer?

configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation