I have 2 servers, one for graylog and another for my application. I have letsencrypt certificates for both of them. I am using GELF TCP with TLS for the connection. But I am getting below error in graylog.
2019-06-14T02:19:21.380Z ERROR [AbstractTcpTransport] Error in Input [GELF TCP/5cfe59f41db840381ec37337] (channel [id: 0xde6714f7, L:/<graylog internal IP>:12201 ! R:/<Application server public IP>:53740]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA)
For graylog, nginx proxy is used and SSL certificates are deployed via nginx.
the certificate of client is placed under /etc/graylog/server/trusted_clients/
I am using same certificate in application to connect to graylog.
you configured your Graylog that a sender needs to authenticate to send messages to Graylog - so you need to configure your sender to authenticate when it establish a connection using a certificate … as graypy is just a lib, did you have authentication with certificate implemented in your application?
we are configuring client auth with the correct cert file of client in graylog.
I think graypy will initiate communication with cert and fullchain file and graylog verify that provide cert is valid. If yes then it will allow the data to flow.
I think graypy will initiate communication with cert and fullchain file and graylog verify that provide cert is valid. If yes then it will allow the data to flow.
Wrong.
Graylog input is configured to accept only TLS connections. So your Sender needs to be able to make use of TLS Connection. Graylog and the sender need to be able to verify the certificate so accept the connection.
You enabled authentication that means: The sender needs to use a certificate to authenticate itself with a client certificate that Graylog can verify before the messages from that sender are accepted.
@jan I have provided tls_client_auth_cert_file in settings of GELF TCP. I cannot put that in server.conf because there are few connections which are using UDP.
And I am using the same certificate to connect from sender to graylog server. If it was cert issue, it comes in server.log.
In ideal setup of graylog, how to setup a secure connection between sender and graylog server?
I thought it is by enabling TLS in input stream with client Auth cert as required.
And send the same certificate from sender while initiating the connection.