Authentication on the Datanode HTTPS

I’m trying to setup a standalone instance, and to avoid the pre-flight checks.

I’ve successfully provisionned certificate for my Datanode and it’s starting correctly. It listens on 127.0.0.1:9200.

In the server.conf (on the same machine), how can I make the graylog-server authentication on this port using a certificate ?

The only line in the config where you specify the datanode URI is elasticsearch_hosts, but the autentication is not with creds, it’s with a certificate (similar to when the pre-flight config is done).

How can I specify the keystore where the cert is ?

I drilled down this issue when trying to curl into the 9200:

sudo curl "https://127.0.0.1:9200/_cluster/health?pretty" -k 
Authentication finally failed

And in graylog-server.log, I’m getting this error:

2025-03-27T14:25:28.270+01:00 ERROR [VersionProbe] Unable to retrieve version from indexer node 127.0.0.1:9200: unknown error - an exception occurred while deserializing error response: {}
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
 at [Source: (okio.Buffer$inputStream$1); line: 1, column: 16]

So the graylog-server connects to the the datanode on “https://127.0.0.1:9200” (without any certs because he doesn’t know that he has to use certs) and the datanode returns “Authentication finally failed”.

Hence my reasoning.

Why are you trying to use datanode with the preflight setup?

I want to have an unattended installation of a standalone graylog instance (via Ansible), that’s ready to be used.

hello @3isenHeiM,

Are you using the selfsigned_startup=true within your server.conf?

I tried with and without, without any luck

Just to confirm, you are using Graylog 6.1 and the elasticsearch_hosts option is commented out within server.conf?

I’m using 6.2 and the elasticsearch_hosts is set to https://127.0.0.1:9200, since I configured certificates for this.

Out of interest, why not use the certificate creation process during pre-flight Data Node setup? You can use your own CA if there is a requirement to use internal PKI.

selfsigned_startup=true should be used to automatically create self signed certs on startup.

Having elastic hosts set is messing you up i think, it should be commented out, you should use the self signed config option and then it will “launch” preflight but do it itself and just set it up. Manaully configuring it with datanode is not something it was built to support.

Yes it solved the problem. I can now direclty login in the Graylog web interface.

For future reference, here is my server.conf

is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret =  <REDACTED>
root_password_sha2 =  <REDACTED>
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 0.0.0.0:9000
stream_aware_field_types=false
disabled_retention_strategies = none,close
allow_leading_wildcard_searches = false
allow_highlighting = false
field_value_suggestion_mode = on
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
integrations_scripts_dir = /usr/share/graylog-server/scripts
selfsigned_startup = true

And the datanode.conf

node_id_file = /etc/graylog/datanode/node-id
config_location = /etc/graylog/datanode
password_secret = <REDACTED>
root_password_sha2 =  <REDACTED>
mongodb_uri = mongodb://localhost/graylog
hostname = graylog.backend
node_name = graylog.backend
opensearch_location = /usr/share/graylog-datanode/dist
opensearch_config_location = /var/lib/graylog-datanode/opensearch/config
opensearch_data_location = /var/lib/graylog-datanode/opensearch/data
opensearch_logs_location = /var/log/graylog-datanode/opensearch

Many thanks !

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.