New Indexer Failing due to Cert Password, what is ...

splunk219783 · ‎03-04-2019

I have a new indexer. It's in the cluster, replicated and appears fine. We're using the default splunk generated cert. However 9997 wont open due to an invalid cert password. I thought the default was "password" ? But if i put that in

/opt/splunk/etc/system/local/server.conf
/opt/splunk/etc/apps/myapp/local/server.conf

I still get an error in splunkd.log

03-04-2019 10:26:01.214 -0500 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/server.pem errno=151404653 error:0906406D:PEM routines:PEM_def_callback:problems getting password.
03-04-2019 10:26:01.214 -0500 ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
03-04-2019 10:26:01.214 -0500 ERROR TcpInputConfig - SSL context not found. Will not open splunk to splunk (SSL) IPv4 port 9997

tiagofbmm · ‎03-04-2019

The default password is "password"

splunk219783 · ‎03-04-2019

Thanks, how can i verify which conf file it's looking for the password in? Would it be both of the files i mentioned?

/opt/splunk/etc/system/local/server.conf
/opt/splunk/etc/apps/myapp/local/server.conf

tiagofbmm · ‎03-04-2019

system/local has the maximum level of precedence

New Indexer Failing due to Cert Password, what is the default password?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases