Monitoring Splunk

splunkd not responding

mataharry
Communicator

I have a indexer, that crashed and I restored.

I can start splunkd and splunkweb services, but cannot use the CLI, or connect with the search-head, and splunkweb login fails (the version displayed is UNKNOWN)
But splunkd is indexing, and my firewalls are open.

I saw some errors in splunkd.log after a restart.


08-07-2012 12:19:02.807 -0700 ERROR SSLCommon - Can't read key file D:\Program Files\Splunk\etc\auth\server.pem errno=151429224 error:0906A068:PEM routines:PEM_do_header:bad password read.
08-07-2012 12:19:02.807 -0700 ERROR ServerConfig - Couldn't initialize SSL Context for HTTPClient in ServerConfig

Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

Did you restored the configuration from another server ?

The error means that the ssl certificated used for splunkd (port 8089) is not working.
check in $SPLUNK_HOME/etc/system/local/server.conf and web.conf

  • Verify that the ssl certificate exists
  • that the password is the good one.
  • that the $SPLUNK_HOME/etc/auth/splunk.secret has not be modified
  • regenerated the ssl password, by typing the password in clear in $SPLUNK_HOME/etc/system/local/server.conf
    [sslConfig]
    sslKeysfilePassword = password
    
    and restart to apply if you are using the default ssl, shipped with splunk, simply comment the password line and restart it will encrypt the one from the default settings.

View solution in original post

peewee42
New Member

How about ...are the rights on the directories as expected after the restore? I had similar messages after installing the first heavy forwarder. I needed to replace several ACLs on the windows server to get it working.

0 Karma

yannK
Splunk Employee
Splunk Employee

Did you restored the configuration from another server ?

The error means that the ssl certificated used for splunkd (port 8089) is not working.
check in $SPLUNK_HOME/etc/system/local/server.conf and web.conf

  • Verify that the ssl certificate exists
  • that the password is the good one.
  • that the $SPLUNK_HOME/etc/auth/splunk.secret has not be modified
  • regenerated the ssl password, by typing the password in clear in $SPLUNK_HOME/etc/system/local/server.conf
    [sslConfig]
    sslKeysfilePassword = password
    
    and restart to apply if you are using the default ssl, shipped with splunk, simply comment the password line and restart it will encrypt the one from the default settings.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...