As for the HEC use of SSL, if you simply flip on SSL in the global options (aka enableSSL=1 ) it will use the settings from server.conf...which look like this on my machine.
[splunker@n00bserver bin]$ ./splunk btool server list --debug
/home/splunker/splunk/etc/system/local/server.conf [sslConfig]
/home/splunker/splunk/etc/system/default/server.conf allowSslCompression = true
/home/splunker/splunk/etc/system/default/server.conf allowSslRenegotiation = true
/home/splunker/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
/home/splunker/splunk/etc/system/default/server.conf caPath = $SPLUNK_HOME/etc/auth
/home/splunker/splunk/etc/system/default/server.conf certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
/home/splunker/splunk/etc/system/default/server.conf cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
/home/splunker/splunk/etc/system/default/server.conf enableSplunkdSSL = true
/home/splunker/splunk/etc/system/default/server.conf sendStrictTransportSecurityHeader = false
/home/splunker/splunk/etc/system/default/server.conf serverCert = $SPLUNK_HOME/etc/auth/server.pem
/home/splunker/splunk/etc/system/local/server.conf sslPassword = <REDACTED>
/home/splunker/splunk/etc/system/default/server.conf sslVersions = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf sslVersionsForClient = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf useClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf useSplunkdClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf
I would try throwing your certs in the auth dir and pointing to it from the inputs, similar to how the caCertFile and path & server cert are set above.
I will try and get my letsencrypt set up cookin and let you know, or will confirm with others much smarter than me 😉
... View more