I’m trying to setup a standalone instance, and to avoid the pre-flight checks.
I’ve successfully provisionned certificate for my Datanode and it’s starting correctly. It listens on 127.0.0.1:9200.
In the server.conf (on the same machine), how can I make the graylog-server authentication on this port using a certificate ?
The only line in the config where you specify the datanode URI is elasticsearch_hosts, but the autentication is not with creds, it’s with a certificate (similar to when the pre-flight config is done).
How can I specify the keystore where the cert is ?
I drilled down this issue when trying to curl into the 9200:
And in graylog-server.log, I’m getting this error:
2025-03-27T14:25:28.270+01:00 ERROR [VersionProbe] Unable to retrieve version from indexer node 127.0.0.1:9200: unknown error - an exception occurred while deserializing error response: {}
com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'Authentication': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
at [Source: (okio.Buffer$inputStream$1); line: 1, column: 16]
So the graylog-server connects to the the datanode on “https://127.0.0.1:9200” (without any certs because he doesn’t know that he has to use certs) and the datanode returns “Authentication finally failed”.
Out of interest, why not use the certificate creation process during pre-flight Data Node setup? You can use your own CA if there is a requirement to use internal PKI.
selfsigned_startup=true should be used to automatically create self signed certs on startup.
Having elastic hosts set is messing you up i think, it should be commented out, you should use the self signed config option and then it will “launch” preflight but do it itself and just set it up. Manaully configuring it with datanode is not something it was built to support.