Hi. I have a Deployment Server, and I am using it to configure a Deployment Client, which is a Windows Universal Forwarder. I want to use SSL for both Forwarder-Indexer communications, as well as Deployment Client - Deployment Server communications, using "our" Certs (not Splunk's).
The initial state is that Forwarder-Indexer communication, as well as Deployment Client - Deployment Server communication, is working fine, but not using our Certs.
My first step is to configure the Forwarder-Indexer communication to use our Certs. So, I modify outputs.conf in the appropriate deployment-apps directory on the Deployment Server, with the needed SSL parameters, and reload the app. It works like a charm - the UF is now sending data to the Indexers, using SSL, with our Certs.
So now I want to make the equivalent change for the Deployment Client - Deployment Server communication. This time, I modify server.conf in the appropriate deployment-apps directory on the Deployment Server, with the needed SSL parameters, and reload the app. This does NOT work. splunkd.log, on both Deployment Client and Deployment Server, report errors (shown below), and the two endpoints no longer communicate, and a "./splunk list deploy-clients" command on the Deployment Server no longer displays the target machine as one of its Deployment Clients.
As best as I can tell, I am using the same "forwarder.pem", "cacert.pem", and cert passwords in the two .conf files (outputs and server), but things just aren't working for the Deployment Client - Deployment Server communications.
Any enlightenment, or at least tips on troubleshooting this, would be GREATLY appreciated!
Here are the splunkd.log errors...
On the Deployment Client
09-21-2011 20:38:02.971 -0700 ERROR SSLCommon - Can't read key file C:\Program Files\SplunkUniversalForwarder\etc\apps\\*app-name*\local\forwarder.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
09-21-2011 20:38:02.971 -0700 ERROR ServerConfig - Couldn't initialize SSL Context for HTTPClient in ServerConfig
09-21-2011 20:38:03.994 -0700 ERROR SSLCommon - Can't read key file C:\Program Files\SplunkUniversalForwarder\etc\apps\\*app-name*\local\forwarder.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
09-21-2011 20:38:03.994 -0700 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong
09-21-2011 20:38:03.994 -0700 ERROR HTTPServer - SSL will not be enabled
On the Deployment Server
09-21-2011 20:36:13.548 -0700 ERROR TcpInputFd - SSL Error = error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
09-21-2011 20:36:13.548 -0700 ERROR TcpInputFd - ACCEPT_RESULT=-1 VERIFY_RESULT=0
09-21-2011 20:36:13.548 -0700 ERROR TcpInputFd - SSL Error for fd from HOST:*hostname*, IP:*ip-addr*, PORT:50252
And, here are the .conf files...
outputs.conf
[tcpout]
defaultGroup = splunkssl-autolb-group
disabled = false
[tcpout-server://*hostname*:9998]
sslCertPath=C:\Program Files\SplunkUniversalForwarder\etc\apps\\*app-name*\local\forwarder.pem
sslPassword=*password*
sslRootCAPath=C:\Program Files\SplunkUniversalForwarder\etc\apps\\*app-name*\local\cacert.pem
sslVerifyServerCert=true
sslCommonNameToCheck=*full_hostname*
altCommonNameToCheck=*short_hostname*
there is more, but not SSL-related
server.conf
[sslConfig]
enableSplunkdSSL = true
sslKeysfile = forwarder.pem
sslKeysfilePassword = *password*
caCertFile = cacert.pem
caPath = C:\Program Files\SplunkUniversalForwarder\etc\apps\\*app-name*\local
... View more