Archiving : Could not retrieve the archive catalog

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Hello, we changed Graylog version to Graylog Open 4.2 to Graylog Enterprise 4.2.1-1-jre11.

When we try to access to Enterprise/Archiving we got this error :

Could not retrieve the archive catalog
Fetching archive catalog failed: Hostname 172.20.0.4 not verified: certificate: sha256/K8om+DtaW8ymAuVnUoU7g7lSNY1mpCgI06ybNHqeu1I= DN: EMAILADDRESS=exploitation_dsi@trapil.com, CN=graylog.si.trapil.intra, OU=DSI, O=TRAPIL, L=PARIS, ST=PARIS, C=FR subjectAltNames: [graylog.si.trapil.intra]

The HTTPS certificate is added to java keystore with the keytool command in graylog docker image and elasticsearch docker image.

2. Describe your environment:

  • OS Information:
Red Hat Enterprise Linux 8.4 (Ootpa)
With docker
  • Package Version:
Mongo : mongo:4.2
Elasticsearch : docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
Graylog : graylog/graylog-enterprise:4.2.1-1-jre11
  • Service logs, configurations, and environment variables:
Here is error in docker-compose logs :

graylog_1        |     certificate: sha256/K8om+DtaW8ymAuVnUoU7g7lSNY1mpCgI06ybNHqeu1I=
graylog_1        |     DN: EMAILADDRESS=exploitation_dsi@trapil.com, CN=graylog.si.trapil.intra, OU=DSI, O=TRAPIL, L=PARIS, ST=PARIS, C=FR
graylog_1        |     subjectAltNames: [graylog.si.trapil.intra]
graylog_1        | 2021-11-23 18:35:45,459 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://172.20.0.4:9000/api/system/metrics/multiple on node <ba97fc3f-97fa-4b52-b3c2-f3bccb5d446c>: Hostname 172.20.0.4 not verified:

Graylog error
Graylog error1920×1080 185 KB

3. What steps have you already taken to try and solve the problem?

I tried to add full certificate chain to java keystore but error is still there :

 keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_graylog_jdk_security/_data/cacerts -storepass changeit -alias graylog.si.trapil.intra -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/graylog.si.trapil.intra.pem

keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_graylog_jdk_security/_data/cacerts -storepass changeit -alias trapil-root-ca -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/trapil-root-ca.pem

keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_es_jdk_security/_data/cacerts -storepass changeit -alias graylog.si.trapil.intra -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/graylog.si.trapil.intra.pem

keytool -importcert -keystore /DATA/APP/docker/volumes/graylog_es_jdk_security/_data/cacerts -storepass changeit -alias trapil-root-ca -file /DATA/APP/docker/volumes/graylog_graylog_config/_data/trapil-root-ca.pem

4. How can the community help?

Please help me to fix this error.

2

Hello,

I’m assuming this is a self signed certificate?
This is a direct result in how you certificate/s were made.
Example:

subjectAltName = @alt_names

# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
IP.1 = 172.20.0.4
DNS.1 = graylog.si.trapil.intra

Have the IP Address /w the FQDN is suggested under subjectAltName.

You can find more information here.

https://docs.graylog.org/v1/docs/https

EDIT: Some more suggestions would be is, make sure your certificate/keystore are readable with the Graylog. Make sure your DNS server has a PTR for your Graylog server ( i.e. reverse look up ). There have been occasions where the /etc/hosts file has to be configured.

Example:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.20.0.4  graylog.si.trapil.intra``



Hope that helps
4

Hello,

If your environment has DNS server you should be good and just point your network file to it. If your IP address changes you need to make a static IP address to prevent this. I’m sorry I don’t use Docker that much so I’m unsure. Below is an example of my Network file eth0 on CentOS, Ubuntu is a little it different when creating a static IP.

To check for your DNS server/s.

root # cat /etc/resolv.conf

Network File Location.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Edit file Example.

TYPE="Ethernet"
BOOTPROTO="static"  <-- disable DHCP here.
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="eth0"
UUID="97f70d46-db73-4932-8e7a-57f55007353a"
DEVICE="eth0"
ONBOOT="yes"
IPADDR="10.10.10.109" < Static IP Address
PREFIX="24"
GATEWAY="10.10.10.1"
DNS1="10.10.10.15" <--- My First DNS server
DNS2="10.10.10.16" <-- My Second DNS server
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_PRIVACY="no"

I personally use the service DIG to run a query on my host. This is just a troubleshooting tip.
On CentOS the install is sudo yum install bind-utils but there are others like nslookup, host, etc…

Example below my DNS has my FQDN with the IP address that matchs.

[root@graylog ~]# dig graylog.domain.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> graylog.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46187
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;graylog.doamin.com.       IN      A

;; ANSWER SECTION:
graylog.doamin.com. 3600   IN      A       10.10.10.102

;; Query time: 1 msec
;; SERVER: 10.10.10.15#53(10.200.2.16)
;; WHEN: Thu Dec 02 17:24:29 CST 2021
;; MSG SIZE  rcvd: 68

[root@graylog ~]#

If I’m not understanding you correctly and you do not have a DNS server then you may need the following configured.

First make sure you hostname is correct execute this

'root # hostname`

If not the file needs to be configured here

root # /etc/hostname

Second insure your configuration for you GL server is in /etc/hosts file.
Example

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.20.0.4  graylog.si.trapil.intra

You may need to restart your network service to pick the new configuration up.

I understand but if you certificates are not correct format for Graylog then the above statement as I suggested, this error will occur please have a look at these links.

https://docs.graylog.org/v1/docs/sec-adcs-certificates

https://docs.graylog.org/v1/docs/https

Hope that helps