Security

Cna't Connect to HTTP Event Collector Endpoint with My Certificate

Path Finder

I installed my certificate into $SPLUNK_HOME/etc/auth/splunkweb. I can access Splunk Web on browser but, HTTP Event Collector ends with timeout.

Server: EC2 (OS: Amazon Linux)
Splunk Version: 7.0.1
Certificate: Let's Encrypt

inputs.conf
[http]
disabled = 0
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

So far as I tested HEC on curl, connection fails before negotiation. How can I enable my certificate on HEC?

HEC Test by curl
My Certificate
$ curl -k https://xxxxxxx.com:8088/services/collector/event -H "Authorization: Splunk XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -d '{"event": "hello world"}' -v
* Trying xx.xxx.xxx.xxx...
* Connected to xxxxxxx.com (xx.xxx.xxx.xxx) port 8088 (#0)
* Operation timed out after 0 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received

Splunk Default Cert
$ curl -k https://xxxxxxx.com:8088/services/collector/event -H "Authorization: Splunk XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -d '{"event": "hello world"}' -v
* Trying xx.xxx.xxx.xxx...
* Connected to xxxxxxx.com (xx.xxx.xxx.xxx) port 8088 (#0)
* TLS 1.2 connection using TLSRSAWITHAES128CBCSHA256
* Server certificate: SplunkServerDefaultCert
* Server certificate: Splunk Inspection CA
* Server certificate: Splunk Root CA
...

0 Karma

Explorer

I think i have seen this while testing our ssl config for HEC. I think your cert chain is incomplete.
You have to supply your certs and key in the following way:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/HowtoprepareyoursignedcertificatesforSplu...

and if your key uses a password you can specify that in the [http] stanza with sslPassword
See also: https://answers.splunk.com/answers/462131/securing-http-event-collector.html#answer-692893

0 Karma