Certs error after upgrading to 5.0.2

Dear Graylog community,

This morning, I upgraded my Graylog server from 4.3.11 to 5.0.2. The upgrade went well, but now I can’t start my inputs and access logs from the web interface. Everytime, I have this error message :

FetchError: There was an error fetching a resource: Internal Server Error. Additional information: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Check your Graylog logs for more information.

This seems to occur when Graylog can’t find proper certificates but it was running well before the upgrade and all my certs are still there, even in the JVM’s cacert file. I have no idea what’s happening there :sweat_smile:

My OS is Debian 11 with latest upgrades and elasticsearch is 7.10.2 as recommended.

Does anyone have encoutered this issue or have an idea of what’s happening ?

Thanks in advance for your answers,

G.M.

Hey,

Were you using java defult keystore by chance? If so I think Opensearch ships with JAVA 17.
If the java version change double check the keystore., just a thought

1 Like

Hi @gsmith, thank you for your fast answer.
I don’t use opensearch for now, but I was using the keystore in /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts. I have both CA and Server certificates in it, so I think it’s good but it seems that Graylog does not recognize the keystore…

So, just tried this trick and it worked…

Adding this line to the JVM parameters in the file /etc/default/graylog-server, specifying my path to the certs store.
I don’t really understand why Graylog is NOT using the default java 17 keystore out of the box, but it’s definitely something to dig…

Browsing 4+ years old topics is definitely not my favourite part but it worked this time ! :smiley:
Maybe adding this to the install docs might be a good idea ?

2 Likes