Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Switching HEC from HTTP to HTTPS with Let’s Encryp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Switching HEC from HTTP to HTTPS with Let’s Encrypt on Windows (On-Prem)
Environment:
Splunk Enterprise 9.x (Windows, On-Prem)
Domain: mydomain.duckdns.org (via DuckDNS)
Certbot for Let’s Encrypt certificate generation
Goal:
Use the correct Certbot CLI command to generate certificates for Splunk HEC.
Resolve curl: (28) Connection timed out when testing HTTPS.
Specific Issues:
1. Certbot CLI and Certificate Handling
The Let’s Encrypt README warns against copying/moving certificates, but Splunk requires specific paths.
Question:
What is the exact Certbot command to generate certificates for Splunk HEC on Windows?
Should I copy fullchain.pem and privkey.pem to Splunk’s auth/certs directory despite the warnings?
2. HTTPS Curl Failure
After configuring SSL in server.conf, curl times out:
CopyDownloadcurl -k -v "https://localhost:8088/services/collector" -H "Authorization: Splunk <HEC_TOKEN>" * Connection timed out after 4518953 milliseconds
Question:
Why does curl timeout even after enabling SSL in Splunk?
Is localhost:8088 valid for testing, or must I use mydomain.duckdns.org:8088?
Steps Taken:
Generated certificates with certbot certonly --standalone -d mydomain.duckdns.org.
Copied fullchain.pem and privkey.pem to $SPLUNK_HOME/etc/auth/certs.
Configured server.conf:
iniCopyDownload[httpServer] enableSSL = true sslCertPath = $SPLUNK_HOME/etc/auth/certs/fullchain.pem sslKeyPath = $SPLUNK_HOME/etc/auth/certs/privkey.pem
Confirmed port 8088 is open in Windows Firewall.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Eric_Rak
Since you're getting timeout issues with curl rather than an SSL error it sounds like HEC isnt enabled.
Please can you confirm if HEC has been enabled? Note: by default, HEC (HTTP Event Collector) is disabled and uses its own SSL settings in inputs.conf, not server.conf.
The [httpServer] stanza in server.conf only affects the management and web interfaces, not HEC.
You can use the following to check - check for disabled = 0/false
$SPLUNK_HOME/bin/splunk btool inputs list http --debug
Essentially you will need something like the following inputs.conf:
[http]
disabled = 0
enableSSL = true
serverCert = <full path to your certificate chain pem file>
sslPassword = <password for server key used in chain>Check out the following resources which might also assist:
Setting up HEC: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
Splunk Community Badges!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
