Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting heavy forwarder error "TcpInputConfig - SSL server certificate not found, or password is wrong..."?

briangmadden
Explorer
‎01-20-2016 01:03 AM

I need to send data from a security appliance to a Splunk Heavy Forwarder on a listening port using TCP-TLS. Getting the errors below everytime in opt/splunk/var/log/splunk/splunkd.log that Splunk is started.

ERROR    SSLCommon - Can't read key file    /opt/splunk/etc/certs/cert.pem    errno=151441516 error:0906D06C:PEM    routines:PEM_read_bio:no start line.
ERROR    TcpInputConfig - SSL server    certificate not found, or password is    wrong - SSL ports will not be opened
ERROR    TcpInputConfig - SSL context not    found. Will not open raw (SSL) IPv4    port 17814

Here are the steps I followed:

  1. Generated CSR file on my Heavy Forwarder and sent to my certificate provider to have it signed.
  2. Received *.cer back from my certificate provider.
  3. Ran following command to convert *.cer into *.pem: openssl x509 -inform pem -in certificate.cer -outform der -out certificate.pem
  4. Copied cert.pem & InternalRootCA.pem to /opt/splunk/etc/certs

  5. Here is my inputs.conf

    [SSL]
    rootCA = $SPLUNK_HOME/etc/certs/InternalRootCA.pem
    serverCert = $SPLUNK_HOME/etc/certs/cert.pem
    password = ***************
    requireClientCert = false
    [tcp-ssl://17814]
    sourcetype = syslog
    index = **
    Restart Splunk & I get errors:

    ERROR SSLCommon - Can't read key file /opt/splunk/etc/certs/cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
    ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
    ERROR TcpInputConfig - SSL context not found. Will not open raw (SSL) IPv4 port 17814
    The cert folder only includes the two files
    InternalRootCA.pem
    cert.pem

Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎07-19-2018 10:54 AM

The error "ERROR SSLCommon - Can't read key file /opt/splunk/etc/certs/cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line." can be caused if you mistakenly swap the certificate path with the root CA path in the .conf file.

0 Karma
Reply

jplumsdaine22
Influencer
‎01-20-2016 07:54 AM

Have you checked the file permissions on those certificate files? IE does the user Splunk runs as have permissions to read them? You can check the file contents with openssl and verify the keys etc with commands found here as well https://www.sslshopper.com/article-most-common-openssl-commands.html

0 Karma
Reply

briangmadden
Explorer
‎01-20-2016 02:17 PM

I modified all the directory and file permissions to make splunk the owner.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...