This error occurs when splunk tries to decrypt the RSA private key in server.pem with the wrong password.
I'll show you how to fix this by decrypting the cert by hand as long as you are using default splunk signing CAs.
1. Delete server.pem from your universal forwarder and restart splunk (this will recreate server.pem with a default password of 'password')
2. Decrypt the private RSA key 'openssl rsa -in server.pem -out server_unprotected.pem'
3. Since server_unprotected.pem will only have the decrypted RSA private key in it, copy & paste the other two blocks from server.pem (don't copy over the original encrypted RSA private key)
4. mv splunk_unprotected.pem server.pem
5. Restart splunk
... View more