Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use self signed SSL with HEC?

andl24
New Member
‎09-20-2022 07:53 AM

Similar to some other existing community posts, I am having issues sending POST requests to the https://.../services/collector/event endpoint of my Splunk enterprise server running on AWS after following Splunk guides on creating self signed ssl and using it.

 

Using -k in curl to skip insecure verify works, but including --cacert myselfsignedca does not. I've gone further and even added relevant x509 extensions like SANs with no success. The result from curl:

...

* successfully set certificate verify locations:
* CAfile: ./splunkCA.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

...

 

Any help is appreciated!

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 03:58 AM

Hi

I don't know why, but it seems that quite many TA's etc. which are using HEC is requested valid official CA-signed certs not self signed. This is probably some kind of statement from Splunk side?

If I recall right there (or in slack) was some time ago one post where someone has succeed to use self signed cert with Splunk_TA_aws as adding own CA cert into local CA store on those hosts. Maybe that can help also you. https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-AWS-Problem-Does-anyone-know-...

Anyhow you should/could create a idea into ideas.splunk.com for this. I suppose quite many will vote it ;-?

r. Ismo

0 Karma
Reply

andl24
New Member
‎10-06-2022 04:34 PM

Hi,

I have the same issue running it locally with Docker, not just on AWS. Are self signed certs with HEC supposed to be supported?

ref: https://hub.docker.com/r/splunk/splunk

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...