Switching HEC from HTTP to HTTPS with Let’s Encryp...

Eric_Rak · ‎05-20-2025

Environment:

Splunk Enterprise 9.x (Windows, On-Prem)
Domain: mydomain.duckdns.org (via DuckDNS)
Certbot for Let’s Encrypt certificate generation

Goal:

Use the correct Certbot CLI command to generate certificates for Splunk HEC.
Resolve curl: (28) Connection timed out when testing HTTPS.

Specific Issues:

1. Certbot CLI and Certificate Handling

The Let’s Encrypt README warns against copying/moving certificates, but Splunk requires specific paths.
- Question:
  - What is the exact Certbot command to generate certificates for Splunk HEC on Windows?
  - Should I copy fullchain.pem and privkey.pem to Splunk’s auth/certs directory despite the warnings?

2. HTTPS Curl Failure

After configuring SSL in server.conf, curl times out:
Copy

Download
```
curl -k -v "https://localhost:8088/services/collector" -H "Authorization: Splunk <HEC_TOKEN>"  
* Connection timed out after 4518953 milliseconds  
```
- Question:
  - Why does curl timeout even after enabling SSL in Splunk?
  - Is localhost:8088 valid for testing, or must I use mydomain.duckdns.org:8088?

Steps Taken:

Generated certificates with certbot certonly --standalone -d mydomain.duckdns.org.
Copied fullchain.pem and privkey.pem to $SPLUNK_HOME/etc/auth/certs.

Configured server.conf:

ini

Copy

Download

[httpServer]  
enableSSL = true  
sslCertPath = $SPLUNK_HOME/etc/auth/certs/fullchain.pem  
sslKeyPath = $SPLUNK_HOME/etc/auth/certs/privkey.pem

Confirmed port 8088 is open in Windows Firewall.

livehybrid · ‎05-20-2025

Hi @Eric_Rak

Since you're getting timeout issues with curl rather than an SSL error it sounds like HEC isnt enabled.

Please can you confirm if HEC has been enabled? Note: by default, HEC (HTTP Event Collector) is disabled and uses its own SSL settings in inputs.conf, not server.conf.

The [httpServer] stanza in server.conf only affects the management and web interfaces, not HEC.

You can use the following to check - check for disabled = 0/false

$SPLUNK_HOME/bin/splunk btool inputs list http --debug

Essentially you will need something like the following inputs.conf:

[http]
disabled = 0
enableSSL = true
serverCert = <full path to your certificate chain pem file>
sslPassword = <password for server key used in chain>

Check out the following resources which might also assist:

Setting up HEC: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-secure-the-event-collector-port-8088-w...

https://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf#:~:text=12.%0A*%20Default%3A%20...

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing