Reorganize README

dd-Splunk · dd-Splunk · commit 0c991a9c0b16 · 2024-02-13T09:49:24.000Z
diff --git a/README.md b/README.md
@@ -6,31 +6,11 @@ PoC to secure HEC using Let's Encrypt certificates.
 
 ### Steps
 
-<https://github.com/dd-Splunk/splunk-hec-secure/blob/8c8b2f22d379c7365dea59b1fa28fd38680cde14/scripts/create-certs.sh#L1-L31>
+- Create the certificates
 
-```bash
-# Must be run as root
-
-APP_DIR=$PWD/configs/mycerts
-DOMAIN=dessy.one
-SPLUNK_HOST=splunk
-FQDN=s${SPLUNK_HOST}.${DOMAIN}
-
-# Standalone as no server exists yet.
-certbot certonly --standalone -d $FQDN
-cd /etc/letsencrypt/live/$FQDN
-
-cp fullchain.pem prickey.pem $APP_DIR
-
-# Get Let's Encrypt Root CA
-wget https://letsencrypt.org/certs/isrgrootx1.pem -P $APP_DIR
-
-cat cert.pem privkey.pem chain.pem > $APP_DIR/hec.pem
-
-chown splunk:splunk $APP_DIR/*.pem
-
-```
+<https://github.com/dd-Splunk/splunk-hec-secure/blob/8c8b2f22d379c7365dea59b1fa28fd38680cde14/scripts/create-certs.sh#L3-L31>
 
+At the end of the script the following should be
 in `$SPLUNK_HOME/etc/auth/mycerts`
 
 ```
@@ -41,25 +21,6 @@ in `$SPLUNK_HOME/etc/auth/mycerts`
 
 ```
 
-To check for cert chain:
-
-```bash
-openssl s_client -connect localhost:8000
-```
-
-From: <https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-secure-the-event-collector-port-8088-with-an-ssl/m-p/243885>
-
-This answer was the most helpful for me.
-I am adding a few things I found helpful for anyone using Certbot/LetsEncrypt
-
-- Generate the pem key using the letsencrypt certs
-
-```bash
-cd /etc/letsencrypt/live/your-server-hostname/
-cat cert.pem privkey.pem chain.pem > hec.pem
-chmod 644 hec.pem
-```
-
 - Use the following for `inputs.conf`
 
 ```ìni
@@ -72,14 +33,27 @@ sslPassword =
 crossOriginSharingPolicy = *
 ```
 
-- Troubleshoot the connection
-
-This comes from this forum post <https://community.splunk.com/t5/Security/Cna-t-Connect-to-HTTP-Event-Collector-Endpoint-with-My/m-p/308377>
-
 ### Test HEC
 
+Send a test event:
+
 ```bash
-curl -k https://splunk.dessy.one:8088/services/collector/event \
+DOMAIN=dessy.one
+SPLUNK_HOST=splunk
+FQDN=${SPLUNK_HOST}.${DOMAIN}
+curl -k https://$FQDN:8088/services/collector/event \
 -H "Authorization: Splunk abcd-1234-efgh-5678" \
 -d '{"event":"hello world"}' -v
 ```
+
+### Troubleshooting
+
+Check for cert chain integrity:
+
+```bash
+DOMAIN=dessy.one
+SPLUNK_HOST=splunk
+FQDN=${SPLUNK_HOST}.${DOMAIN}
+openssl s_client -connect $FQDN:8000
+openssl s_client -connect $FQDN:8000
+```
diff --git a/scripts/create-certs.sh b/scripts/create-certs.sh
@@ -15,7 +15,8 @@ FQDN=${SPLUNK_HOST}.${DOMAIN}
 ROOT_CA=isrgrootx1.pem
 
 # Create cert
-# certbot certonly --standalone -d $FQDN
+# Use standalone mode as no Web server exists yet.
+certbot certonly --standalone -d $FQDN
 cd /etc/letsencrypt/live/$FQDN
 
 # Get Let's Encrypt Root CA
@@ -24,7 +25,8 @@ wget -q https://letsencrypt.org/certs/$ROOT_CA -O $APP_DIR/$ROOT_CA
 # Add Certs to the Splunk cert store
 cp fullchain.pem privkey.pem $APP_DIR
 
-# Create chain of certs for HEC
+# Create chain of certs for HEC:
+# https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-secure-the-event-collector-port-8088-with-an-ssl/m-p/571431/highlight/true#M75360
 cat cert.pem privkey.pem chain.pem > $APP_DIR/hec.pem
 
 # Ensure proper ownership
