Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to Access Splunk Web via HTTPS

ielshahrori
New Member
‎07-17-2025 05:15 AM

I am currently facing an issue accessing the Splunk Web interface over HTTPS.

When I configure enableSplunkWebSSL = true in web.conf, the Splunk Web service appears to start normally, and the port 8000 is open. However, users are unable to reach the interface via the public IP using HTTPS.

When I change the configuration to enableSplunkWebSSL = false, and use HTTP instead, everything works fine — users can successfully access the Splunk Web interface on the public IP and port 8000.

Additional details:

  • There is full network connectivity; telnet to the public IP and port 8000 works.
  • The issue is reproducible across different browsers and devices.
  • The certificate used is the default self-signed certificate provided by Splunk.
  • The Splunk Web service log does not show any fatal errors.

    I need to maintain HTTPS access for security compliance. Could you please assist in identifying the root cause and provide guidance on how to ensure HTTPS access works properly over the public IP?

     

Labels (2)
0 Karma
Reply

PrewinThomas
Motivator
‎07-17-2025 09:55 PM

@ielshahrori 

When you enable HTTPS and access Splunk Web via a public IP, browsers attempt to validate the SSL certificate. The default Splunk self-signed certificate:


-Has a Common Name (CN) set to localhost or the server’s hostname
-Does not match the public IP address
-Is not trusted by browsers

Replace the Default Self-Signed Certificate
Option A: Use a DNS Hostname
Assign a DNS name (e.g., splunk.test.com) pointing to your public IP.

Generate a certificate for that hostname using:
A commercial CA (e.g., DigiCert, Sectigo)Or a free CA like Let’s Encrypt

Access Splunk Web via https://splunk.test.com:8000

Option B: Use a Self-Signed Cert with Public IP as CN
Generate a self-signed certificate with the CN set to your public IP.

Install the root certificate on client machines to avoid trust warnings.
Note: I would not recommend this for production or external access due to browser limitations, trust issues, compliance and best practices.


Refer#https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.3/secure-splunk-...


Install the Certificate in Splunk
Place the new certificate and key files on your Splunk server.

Edit $SPLUNK_HOME/etc/system/local/web.conf:

[settings]
enableSplunkWebSSL = true
serverCert = /opt/splunk/etc/auth/custom_ssl/splunk_cert.pem
privKeyPath = /opt/splunk/etc/auth/custom_ssl/splunk_key.pem

Then restart Splunk


Also you can refer #https://docs.splunk.com/Documentation/Splunk/9.4.2/Security/SecureSplunkWebusingasignedcertificate


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-17-2025 05:30 AM

Hi @ielshahrori 

The issue you have is likely due to a mismatch between the default self-signed certificate's Common Name (CN), which is typically set to the Splunk server's hostname or localhost, and the public IP address used for access. This causes SSL/TLS handshake failures in browsers when attempting HTTPS connections (e.g., https://publicIP:8000), even though basic TCP connectivity (like telnet) succeeds on port 8000. Browsers enforce strict certificate validation, and self-signed certs with CN mismatches often result in "unable to reach" errors without an option to proceed unless explicitly overridden.

If you are using the public IP address over HTTPS then I assume you do not have a valid trusted certificate that the clients can validate for connecting to Splunk? Its not typical to have an SSL certificate that matches an IP address, instead you should have a hostname with DNS that resolves to the IP address of your Splunk server.

Then you will either need a Public Trusted SSL cert, or a self-signed cert which the clients have the root CA trusted one their system. You can then configure the custom SSL cert in Splunk: 

Update web.conf (typically in $SPLUNK_HOME/etc/system/local/) with:

[settings]
  enableSplunkWebSSL = true
  serverCert = <path_to_your_new_cert.pem>

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...