I'm trying to setup new Splunk indexers to replace our older ones. I want to set them up similarly to the old indexers where splunkweb is secured but also the indexers receive forwarder traffic via SSL.
Our certificates would be signed by our own internal CA which is a process I'm quite familiar with.
I'm the one who created this same setup on the old indexers some time ago but I was a little unclear about the process so I read through the documentation and the wiki. The only "how to make a certificate for Splunk" information I seem to be able to find indicates the the final server certificate would be composed of the concatenation of
1 signed server certificate
2 public CA certificate
in that order. I find that works perfectly fine for securing splunkweb. However, I've found that this seems insufficient for the receiving port. I get errors in splunkd.log
11-12-2015 21:37:19.279 -0600 ERROR SSLCommon - Can't read certificate file /opt/splunk/etc/auth/mycerts/myindexer.privatekey.pem errno=33558530 error:02001002:system library:fopen:No such file or directory
11-12-2015 21:37:19.279 -0600 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong
11-12-2015 21:37:19.279 -0600 ERROR HTTPServer - SSL will not be enabled
The private key does not have a password. After further experimentation and noting some comments on the web about this particular openssl error, if I create a server certificate that is the concatenation of
1 signed server certificate
2 server's private key
3 public CA certificate
(again, in that order) then everything works fine -- no errors at startup and 9997 is listening. It seems that that the server certificate on the old indexers has this same combination that includes the private key.
What puzzles me is that I can't find anything in the Splunk docs or the wiki (which I think could use some updating on this topic anyway as for example, Splunk does seem to support password-protected certificates now) about including the private key for any certificate, nor anything indicating that this would be something different between the requirements for a splunkweb certificate file versus one for a receiving certificate file. It doesn't seem as if there's any real harm in combo that includes the private key being used for splunkweb as long as I keep all the certification files as protected as I can with OS permissions. I'm just don't understand why I can't find any documentation that seems to line up with the only way I can make this configuration work.
Am I missing something?
Thanks
↧