Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I use self signed SSL with HEC?

andl24
New Member
‎09-20-2022 07:53 AM

Similar to some other existing community posts, I am having issues sending POST requests to the https://.../services/collector/event endpoint of my Splunk enterprise server running on AWS after following Splunk guides on creating self signed ssl and using it.

 

Using -k in curl to skip insecure verify works, but including --cacert myselfsignedca does not. I've gone further and even added relevant x509 extensions like SANs with no success. The result from curl:

...

* successfully set certificate verify locations:
* CAfile: ./splunkCA.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

...

 

Any help is appreciated!

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 03:58 AM

Hi

I don't know why, but it seems that quite many TA's etc. which are using HEC is requested valid official CA-signed certs not self signed. This is probably some kind of statement from Splunk side?

If I recall right there (or in slack) was some time ago one post where someone has succeed to use self signed cert with Splunk_TA_aws as adding own CA cert into local CA store on those hosts. Maybe that can help also you. https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-AWS-Problem-Does-anyone-know-...

Anyhow you should/could create a idea into ideas.splunk.com for this. I suppose quite many will vote it ;-?

r. Ismo

0 Karma
Reply

andl24
New Member
‎10-06-2022 04:34 PM

Hi,

I have the same issue running it locally with Docker, not just on AWS. Are self signed certs with HEC supposed to be supported?

ref: https://hub.docker.com/r/splunk/splunk

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...