I've had the same. In my case it was caused by the following configuration, which is part of the Enterprise Security (version 3.1.1) App:
SOLNESS-2268: Disabling auditTrail signing by default
To enable, copy the following stanza to SA-AuditAndDataProtection/local/audit.conf
and swap the empty private/public key values for the populated ones
privateKey = $SPLUNK_HOME/etc/auth/audit/private.pem
publicKey = $SPLUNK_HOME/etc/auth/audit/public.pem
I also applied the proposed fix for the upgrade successfully, then reverted back.
... View more