Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I use self signed SSL with HEC?

andl24
New Member
‎09-20-2022 07:53 AM

Similar to some other existing community posts, I am having issues sending POST requests to the https://.../services/collector/event endpoint of my Splunk enterprise server running on AWS after following Splunk guides on creating self signed ssl and using it.

 

Using -k in curl to skip insecure verify works, but including --cacert myselfsignedca does not. I've gone further and even added relevant x509 extensions like SANs with no success. The result from curl:

...

* successfully set certificate verify locations:
* CAfile: ./splunkCA.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

...

 

Any help is appreciated!

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 03:58 AM

Hi

I don't know why, but it seems that quite many TA's etc. which are using HEC is requested valid official CA-signed certs not self signed. This is probably some kind of statement from Splunk side?

If I recall right there (or in slack) was some time ago one post where someone has succeed to use self signed cert with Splunk_TA_aws as adding own CA cert into local CA store on those hosts. Maybe that can help also you. https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-AWS-Problem-Does-anyone-know-...

Anyhow you should/could create a idea into ideas.splunk.com for this. I suppose quite many will vote it ;-?

r. Ismo

0 Karma
Reply

andl24
New Member
‎10-06-2022 04:34 PM

Hi,

I have the same issue running it locally with Docker, not just on AWS. Are self signed certs with HEC supposed to be supported?

ref: https://hub.docker.com/r/splunk/splunk

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...