Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I use self signed SSL with HEC?

andl24
New Member
‎09-20-2022 07:53 AM

Similar to some other existing community posts, I am having issues sending POST requests to the https://.../services/collector/event endpoint of my Splunk enterprise server running on AWS after following Splunk guides on creating self signed ssl and using it.

 

Using -k in curl to skip insecure verify works, but including --cacert myselfsignedca does not. I've gone further and even added relevant x509 extensions like SANs with no success. The result from curl:

...

* successfully set certificate verify locations:
* CAfile: ./splunkCA.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

...

 

Any help is appreciated!

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-04-2022 03:58 AM

Hi

I don't know why, but it seems that quite many TA's etc. which are using HEC is requested valid official CA-signed certs not self signed. This is probably some kind of statement from Splunk side?

If I recall right there (or in slack) was some time ago one post where someone has succeed to use self signed cert with Splunk_TA_aws as adding own CA cert into local CA store on those hosts. Maybe that can help also you. https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-AWS-Problem-Does-anyone-know-...

Anyhow you should/could create a idea into ideas.splunk.com for this. I suppose quite many will vote it ;-?

r. Ismo

0 Karma
Reply

andl24
New Member
‎10-06-2022 04:34 PM

Hi,

I have the same issue running it locally with Docker, not just on AWS. Are self signed certs with HEC supposed to be supported?

ref: https://hub.docker.com/r/splunk/splunk

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...