Configuration HTTPS


#1

Hello,
I’m new user on graylog and i try to put the HTTPS in place but is not successful.
I am not comfortable with https certificates
I use a single nœd
I did this on file openssl-graylog.cnf :

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = t
L = t
O = i
OU = myn
CN = graylog

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
.
[alt_names]
IP.1 =  my_ip_graylog_machine
#DNS.1 = graylog.example.com (I comment this line because I will not use DNS resolution)

after that i do this:

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

after this commande i got : cert.pem pkcs5-plain.pem pkcs8-encrypted.pem pkcs8-plain.pem

and on the file /etc/graylog/server.conf i do this :

web_listen_uri = https://my_ipgraylog_machine:9000/
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/certfiles/cert.pem
web_tls_key_file = /etc/graylog/server/certfiles/pcks8-plain.pem
web_tls_key_password = secret

rest_transport_uri = https://my_ipgraylog_machine:9000/api/
rest_listen_uri = https://my_ipgraylog_machine:9000/api/
rest_tls_cert_file = /etc/graylog/server/certfiles/cert.pem
rest_tls_key_file = /etc/graylog/server/certfiles/pcks8-plain.pem
rest_tls_key_password = secret

this is all I did

Thanks in advance.


(Jochen) #2

Please elaborate on what doesn’t work and include all necessary information, such as error messages and the complete output of the commands you’ve been executing.


#4

Hello
I cant access https://my_ip_graylog_machine:9000/ , my web browser tell me this:

" Sorry, we can not reach this page
Error Code : INET_E_RESOURCE_NOT_FOUND "

I don’t know where i can get a better error message.
I have test https://my_ip_graylog_machine this work.

Output of the commands executed


(Jochen) #5

What is “my_ip_graylog_machine” specifically?


#6

it’s the server ip (192.168.1.1)


#7

I got this error message now
We can not safely access this page
This site uses outdated or insecure TLS security settings. If the problem persists, try contacting the owner.


(Jan Doberstein) #8

your certificate might not match your requested hostname


#9

When you said hostname you speak about what I put in the URL link? (i try to access by the ip 192.168.1.1:9000)


(Jan Doberstein) #10

in term of http protocol you request a hostname - that might be an ip or a name - that used named need to be part of the certificate the web server provide that the browser can verify that.


#11

Ok, but I do not understand why when, I test with the ip without the port graylog 9000 the https work.
request (https://192.168.1.1)
Result :

And for the request (https://192.168.1.1:9000)

Result :
We can not safely access this page
This site uses outdated or insecure TLS security settings. If the problem persists, try contacting the owner.


(Jan Doberstein) #12

I think on port 443 you have some kind of web server running (nginx or apache) and on port 9000 you have graylog handling the web traffic itself.

You might need to adjust the ciphers for your environment ( http://docs.graylog.org/en/2.4/pages/securing.html#configuring-tls-ciphers )


#13

Https now work on 192.168.1.1:9000 but I see the default httpd page.
Maybe a need to put a DocumentRoot option but put what path


(Jan Doberstein) #14

if you see the default document root you should need to configure your webserver in the right way:

http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#nginx


#15

I using Apache HTTP
My config actualy is

ssl.conf:

Listen 9000 https
Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost *:443>

ServerName 192.168.1.1
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

SSLCertificateFile /etc/certfiles/graylog.cert.pem
SSLCertificateKeyFile /etc/certfiles/graylog.pkcs8-plain.key.pem

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost *:9000>

    ServerName 192.168.1.1
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol             all -SSLv3
    SSLCipherSuite        HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA    
    SSLHonorCipherOrder     on
    SSLProtocol all -SSLv2
    SSLCertificateFile /etc/certfiles/graylog.cert.pem
    SSLCertificateKeyFile /etc/certfiles/graylog.pkcs8-plain.key.pem


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
#    <Proxy *>
#        Order deny,allow
#        Allow from all
#    </Proxy>
#
#    <Location />
#        RequestHeader set X-Graylog-Server-URL "https://192.168.1.1/api/"
#        ProxyPass http:///192.168.1.1:9000/
#        ProxyPassReverse http://192.168.1.1:9000/
#    </Location>
(I have commented on these lines because I'm not sure to need that)
</VirtualHost>

And Server.conf :


web_listen_uri = https://192.168.1.1:9000/api/
web_endpoint_uri = https://192.168.1.1:9000/api/
web_enable_tls = true
web_tls_cert_file = /etc/certfiles/graylog.cert.pem
web_tls_key_file = /etc/certfiles/graylog.pkcs8-plain.key.pem
web_tls_key_password = secret 

rest_listen_uri = https://192.168.1.1:9000/api/
rest_transport_uri = https://192.168.1.1:9000/api/
rest_enable_tls = true
rest_tls_cert_file = /etc/certfiles/graylog.cert.pem
rest_tls_key_file = /etc/certfiles/graylog.pkcs8-plain.key.pem
rest_tls_key_password = secret

it doesn’t work, but I don’t see what is wrong. :worried:


(Jan Doberstein) #16

please read: http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#making-the-web-interface-work-with-load-balancers-proxies

adjust it to your environment and use the configuration example provided ( http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#apache-httpd-2-x ) - currently you have Apache AND Graylog listening on port 9000 - which isn’t possible in a common linux setup (on the same interface/ip).


#17

I read that, I tried but it does not work I leave the https aside for the moment.
For graylog httpd is useless i can remove this package no ?


(Jochen) #18

If you don’t want to use Apache httpd as a reverse proxy for Graylog, it’s not required and you could remove it from your machine.


(system) #19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.