Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use self signed SSL with HEC?

andl24
New Member
‎09-20-2022 07:53 AM

Similar to some other existing community posts, I am having issues sending POST requests to the https://.../services/collector/event endpoint of my Splunk enterprise server running on AWS after following Splunk guides on creating self signed ssl and using it.

 

Using -k in curl to skip insecure verify works, but including --cacert myselfsignedca does not. I've gone further and even added relevant x509 extensions like SANs with no success. The result from curl:

...

* successfully set certificate verify locations:
* CAfile: ./splunkCA.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

...

 

Any help is appreciated!

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 03:58 AM

Hi

I don't know why, but it seems that quite many TA's etc. which are using HEC is requested valid official CA-signed certs not self signed. This is probably some kind of statement from Splunk side?

If I recall right there (or in slack) was some time ago one post where someone has succeed to use self signed cert with Splunk_TA_aws as adding own CA cert into local CA store on those hosts. Maybe that can help also you. https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-AWS-Problem-Does-anyone-know-...

Anyhow you should/could create a idea into ideas.splunk.com for this. I suppose quite many will vote it ;-?

r. Ismo

0 Karma
Reply

andl24
New Member
‎10-06-2022 04:34 PM

Hi,

I have the same issue running it locally with Docker, not just on AWS. Are self signed certs with HEC supposed to be supported?

ref: https://hub.docker.com/r/splunk/splunk

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...