After ssl, graylog works in Chrome, but not Firefox or IE

(Gabriel Enache) #1

Hi all.
I’ve created a CSR and sent it to our Enterprise team to generate and give me a domain certificate in order to secure our (local) graylog instance. The certificate came, I copied it to /etc/graylog/server/ and modified the server.conf file which looks like this:

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = qJHQGEN5z01IHf2sY7MniWq6BndLfTfzOTZlT43qLa7Ca0u2zvgzGnrBW6v0vid0
root_username = admin
root_password_sha2 = a0df6bddf0281d67cd401c70e6dc2570150217f66e73bdb64c8004076b7435ca
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://log01.unit.corp:12900/
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/log01.pem
rest_tls_key_file = /etc/graylog/server/log01.key
web_tls_key_file = /etc/graylog/server/log01.key
web_enable_tls = true
web_enable = true
web_listen_uri = http://log01.unit.corp:9000/
web_tls_cert_file = /etc/graylog/server/log01.pem
rotation_strategy = time
elasticsearch_max_number_of_indices = 14
elasticsearch_max_time_per_index = 12h
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_cluster_name = clj-els
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts =
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json

The CSR have been generated like this:

openssl req -new -sha256 -nodes -out ./log01.unit.corp.csr -newkey rsa:4096 -keyout ./log01.unit.corp.key -config  csr_details.txt

After the graylog-server restart, the graylog is available and works on chrome, but it doesn’t work on firefox or IE.
The errors I get in Firefox is:

We are experiencing problems connecting to the Graylog server running on https://log01.unit.corp:12900/. Please verify that the server is healthy and working correctly.

You will be automatically redirected to the previous page once we can connect to the server.

This is the last response we received from the server:

Error message
Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.
Original Request
GET https://log01.unit.corp:12900/system/sessions
Status code
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

Any idea why?
Thank you!

(Jochen) #2

Did you add the CA certificate used to create the server certificate used by Graylog to the certificate stores of Firefox and Internet Explorer (Windows)?

(Gabriel Enache) #3

yes I did. I’ve imported the key.

(Jochen) #4

What happens if you try to open https://log01.unit.corp:12900/ in a freshly started Firefox and Internet Explorer?

(Gabriel Enache) #5

(Jochen) #6

What happens if you’re opening http://log01.unit.corp:9000/ in a freshly started Firefox and Internet Explorer?

(Gabriel Enache) #7

the above image should say it all

(Jochen) #8

No. It doesn’t.

Make sure to check the developer console of your browsers for more details on why the requests were blocked.

(Gabriel Enache) #9

it started working right now, but as per Jochen suggestion, ițve opened the dev console and this is what I see:

(Gabriel Enache) #10

The strange thing is that to other people, firefox is still not able to show graylog

(Gabriel Enache) #11

It started working for me because i’ve got to https://log01.unit.corp:12900 and i’ve accepted the broken certificate.

(Jochen) #12


So the answer to my previous question (see below) is no.

It also means that the answer to the following question was incorrect.

(system) #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.