I tried to get my indexer and forwarders communicating using SSL by following [this][1] guide. However, I found that I couldn't get it working without just throwing all of the certificates into auth folder. If I do that it works, but if I try to put the certificates outside of that folder it doesn't. The problem is that updating splunk will overwrite that folder, so I'm trying to keep my certificates in a different folder, which should be possible. I've tried setting the variables I can find to point to the new certificate location, but it provides the following error in splunkd.log and doesn't forward data.
12-02-2015 12:01:32.070 -0500 ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/certs/server.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
Because server.pem works fine inside of the auth folder, I'm guessing that the problem is with supporting files. So far I've tried using outputs.conf sslCertPath and sslRootCAPath, as well as server.conf caPath, sslKeysfile, and caCertFile. Below is the contents of my auth folder.
-rwxr-x--- 1 splunk splunk 3050 Dec 2 12:54 ca.pem
-rwxr-x--- 1 splunk splunk 17 Dec 2 12:54 ca.srl
-rwxr-x--- 1 splunk splunk 1216 Dec 2 12:54 cacert.pem
-rwxr-x--- 1 splunk splunk 1834 Dec 2 12:54 cakey.pem
-rwxr-x--- 1 splunk splunk 1013 Dec 2 12:54 careq.pem
-rw------- 1 splunk splunk 1041 Dec 2 12:54 privKeySecure.pem
-rw------- 1 splunk splunk 566 Dec 2 12:54 req.pem
-rwxr-x--- 1 splunk splunk 4386 Dec 2 12:54 server.pem
-r-------- 1 splunk splunk 255 Dec 2 12:54 splunk.secret
drwx------ 2 splunk splunk 512 Dec 2 12:54 splunkweb
I provided ca.pem, ca.srl, cacert.pem, cakey.pem, careq.pem, server.pem from the certificate generation process; I mirrored all of my certificate names with the default file names. Those files (and only those files) are in the certs folder, which is the folder I made that I want to read certs from. Is there some other Certificate location I'm failing to point to? Or is this a problem somewhere else?
Here's my working outputs.conf:
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 129.52.27.30:9997
compressed = true
[tcpout-server://129.52.27.30:9997]
sslAltNameToCheck = winsplunk
sslCertPath = /opt/splunkforwarder/etc/auth/server.pem
sslCommonNameToCheck = winsplunk
sslPassword = totallyFunctionalHash
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem
sslVerifyServerCert = true
Here's my working server.conf:
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[general]
pass4SymmKey = AnotherFunctionalHash
serverName = afemssplunk
[sslConfig]
sslKeysfilePassword = SameHashAsOutputs.confSSLPassword,CauseThey'reTheSamePassword
cipherSuite = TLSv1+HIGH:@STRENGTH
sslVersions = tls,-ssl2,-ssl3
Here's my failing outputs.conf:
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 129.52.27.30:9997
compressed = true
[tcpout-server://129.52.27.30:9997]
sslAltNameToCheck = winsplunk
sslCertPath = /opt/splunkforwarder/etc/certs/server.pem
sslCommonNameToCheck = winsplunk
sslPassword = totallyFunctionalHash
sslRootCAPath = /opt/splunkforwarder/etc/certs/cacert.pem
sslVerifyServerCert = true
Here's my failing server.conf:
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[general]
pass4SymmKey = AnotherFunctionalHash
serverName = afemssplunk
[sslConfig]
sslKeysfilePassword = SameHashAsOutputs.confSSLPassword,CauseThey'reTheSamePassword
cipherSuite = TLSv1+HIGH:@STRENGTH
sslVersions = tls,-ssl2,-ssl3
sslKeysfile = server.pem
caCertFile = cacert.pem
caPath = /opt/splunkforwarder/etc/certs
[1]: https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certificates-and-authentication.html
↧