Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Re: Switching HEC from HTTP to HTTPS with Let’s En...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Switching HEC from HTTP to HTTPS with Let’s Encrypt on Windows (On-Prem)
Environment:
Splunk Enterprise 9.x (Windows, On-Prem)
Domain: mydomain.duckdns.org (via DuckDNS)
Certbot for Let’s Encrypt certificate generation
Goal:
Use the correct Certbot CLI command to generate certificates for Splunk HEC.
Resolve curl: (28) Connection timed out when testing HTTPS.
Specific Issues:
1. Certbot CLI and Certificate Handling
The Let’s Encrypt README warns against copying/moving certificates, but Splunk requires specific paths.
Question:
What is the exact Certbot command to generate certificates for Splunk HEC on Windows?
Should I copy fullchain.pem and privkey.pem to Splunk’s auth/certs directory despite the warnings?
2. HTTPS Curl Failure
After configuring SSL in server.conf, curl times out:
CopyDownloadcurl -k -v "https://localhost:8088/services/collector" -H "Authorization: Splunk <HEC_TOKEN>" * Connection timed out after 4518953 milliseconds
Question:
Why does curl timeout even after enabling SSL in Splunk?
Is localhost:8088 valid for testing, or must I use mydomain.duckdns.org:8088?
Steps Taken:
Generated certificates with certbot certonly --standalone -d mydomain.duckdns.org.
Copied fullchain.pem and privkey.pem to $SPLUNK_HOME/etc/auth/certs.
Configured server.conf:
iniCopyDownload[httpServer] enableSSL = true sslCertPath = $SPLUNK_HOME/etc/auth/certs/fullchain.pem sslKeyPath = $SPLUNK_HOME/etc/auth/certs/privkey.pem
Confirmed port 8088 is open in Windows Firewall.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Eric_Rak
Since you're getting timeout issues with curl rather than an SSL error it sounds like HEC isnt enabled.
Please can you confirm if HEC has been enabled? Note: by default, HEC (HTTP Event Collector) is disabled and uses its own SSL settings in inputs.conf, not server.conf.
The [httpServer] stanza in server.conf only affects the management and web interfaces, not HEC.
You can use the following to check - check for disabled = 0/false
$SPLUNK_HOME/bin/splunk btool inputs list http --debug
Essentially you will need something like the following inputs.conf:
[http]
disabled = 0
enableSSL = true
serverCert = <full path to your certificate chain pem file>
sslPassword = <password for server key used in chain>Check out the following resources which might also assist:
Setting up HEC: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
