Archiving : Could not retrieve the archive catalog

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Hello, we changed Graylog version to Graylog Open 4.2 to Graylog Enterprise 4.2.1-1-jre11.

When we try to access to Enterprise/Archiving we got this error :

Could not retrieve the archive catalog
Fetching archive catalog failed: Hostname not verified: certificate: sha256/K8om+DtaW8ymAuVnUoU7g7lSNY1mpCgI06ybNHqeu1I= DN:,, OU=DSI, O=TRAPIL, L=PARIS, ST=PARIS, C=FR subjectAltNames: []

The HTTPS certificate is added to java keystore with the keytool command in graylog docker image and elasticsearch docker image.

2. Describe your environment:

  • OS Information:
Red Hat Enterprise Linux 8.4 (Ootpa)
With docker
  • Package Version:
Mongo : mongo:4.2
Elasticsearch :
Graylog : graylog/graylog-enterprise:4.2.1-1-jre11
  • Service logs, configurations, and environment variables:
Here is error in docker-compose logs :

graylog_1        |     certificate: sha256/K8om+DtaW8ymAuVnUoU7g7lSNY1mpCgI06ybNHqeu1I=
graylog_1        |     DN:,, OU=DSI, O=TRAPIL, L=PARIS, ST=PARIS, C=FR
graylog_1        |     subjectAltNames: []
graylog_1        | 2021-11-23 18:35:45,459 WARN : - Unable to call on node <ba97fc3f-97fa-4b52-b3c2-f3bccb5d446c>: Hostname not verified:

3. What steps have you already taken to try and solve the problem?

I tried to add full certificate chain to java keystore but error is still there :

 keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_graylog_jdk_security/_data/cacerts -storepass changeit -alias -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/

keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_graylog_jdk_security/_data/cacerts -storepass changeit -alias trapil-root-ca -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/trapil-root-ca.pem

keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_es_jdk_security/_data/cacerts -storepass changeit -alias -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/

keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_es_jdk_security/_data/cacerts -storepass changeit -alias trapil-root-ca -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/trapil-root-ca.pem

4. How can the community help?

Please help me to fix this error.


I’m assuming this is a self signed certificate?
This is a direct result in how you certificate/s were made.

subjectAltName = @alt_names

# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
IP.1 =
DNS.1 =

Have the IP Address /w the FQDN is suggested under subjectAltName.

You can find more information here.

EDIT: Some more suggestions would be is, make sure your certificate/keystore are readable with the Graylog. Make sure your DNS server has a PTR for your Graylog server ( i.e. reverse look up ). There have been occasions where the /etc/hosts file has to be configured.

Example:   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6``

Hope that helps

Hello gsmith and thank you for your response,

The certificate is from our internal Microsoft PKI.

The problem is that I use docker so the container IP address can change when I restart it.

Is there a way to tell to Graylog to use DNS name ( instead of IP address ?


If your environment has DNS server you should be good and just point your network file to it. If your IP address changes you need to make a static IP address to prevent this. I’m sorry I don’t use Docker that much so I’m unsure. Below is an example of my Network file eth0 on CentOS, Ubuntu is a little it different when creating a static IP.

To check for your DNS server/s.

root # cat /etc/resolv.conf

Network File Location.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Edit file Example.

BOOTPROTO="static"  <-- disable DHCP here.
IPADDR="" < Static IP Address
DNS1="" <--- My First DNS server
DNS2="" <-- My Second DNS server

I personally use the service DIG to run a query on my host. This is just a troubleshooting tip.
On CentOS the install is sudo yum install bind-utils but there are others like nslookup, host, etc…

Example below my DNS has my FQDN with the IP address that matchs.

[root@graylog ~]# dig

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46187
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4000
;       IN      A

;; ANSWER SECTION: 3600   IN      A

;; Query time: 1 msec
;; WHEN: Thu Dec 02 17:24:29 CST 2021
;; MSG SIZE  rcvd: 68

[root@graylog ~]#

If I’m not understanding you correctly and you do not have a DNS server then you may need the following configured.

First make sure you hostname is correct execute this

'root # hostname`

If not the file needs to be configured here

root # /etc/hostname

Second insure your configuration for you GL server is in /etc/hosts file.
Example   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

You may need to restart your network service to pick the new configuration up.

I understand but if you certificates are not correct format for Graylog then the above statement as I suggested, this error will occur please have a look at these links.

Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.