Configuration HTTPS

Corentin · April 5, 2018, 9:22am

Hello,
I’m new user on graylog and i try to put the HTTPS in place but is not successful.
I am not comfortable with https certificates
I use a single nœd
I did this on file openssl-graylog.cnf :

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = FR
ST = t
L = t
O = i
OU = myn
CN = graylog

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
.
[alt_names]
IP.1 =  my_ip_graylog_machine
#DNS.1 = graylog.example.com (I comment this line because I will not use DNS resolution)

after that i do this:

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

after this commande i got : cert.pem pkcs5-plain.pem pkcs8-encrypted.pem pkcs8-plain.pem

and on the file /etc/graylog/server.conf i do this :

web_listen_uri = https://my_ipgraylog_machine:9000/
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/certfiles/cert.pem
web_tls_key_file = /etc/graylog/server/certfiles/pcks8-plain.pem
web_tls_key_password = secret

rest_transport_uri = https://my_ipgraylog_machine:9000/api/
rest_listen_uri = https://my_ipgraylog_machine:9000/api/
rest_tls_cert_file = /etc/graylog/server/certfiles/cert.pem
rest_tls_key_file = /etc/graylog/server/certfiles/pcks8-plain.pem
rest_tls_key_password = secret

this is all I did

Thanks in advance.

jochen · April 5, 2018, 9:48am

Please elaborate on what doesn’t work and include all necessary information, such as error messages and the complete output of the commands you’ve been executing.

Corentin · April 5, 2018, 1:00pm

Hello
I cant access https://my_ip_graylog_machine:9000/ , my web browser tell me this:

" Sorry, we can not reach this page
Error Code : INET_E_RESOURCE_NOT_FOUND "

I don’t know where i can get a better error message.
I have test https://my_ip_graylog_machine this work.

Output of the commands executed

graylog_forum_1

jochen · April 5, 2018, 1:23pm

What is “my_ip_graylog_machine” specifically?

Corentin · April 5, 2018, 1:26pm

it’s the server ip (192.168.1.1)

Corentin · April 9, 2018, 9:39am

I got this error message now
We can not safely access this page
This site uses outdated or insecure TLS security settings. If the problem persists, try contacting the owner.

jan · April 9, 2018, 11:43am

your certificate might not match your requested hostname

Corentin · April 9, 2018, 1:11pm

When you said hostname you speak about what I put in the URL link? (i try to access by the ip 192.168.1.1:9000)

jan · April 9, 2018, 1:15pm

in term of http protocol you request a hostname - that might be an ip or a name - that used named need to be part of the certificate the web server provide that the browser can verify that.

Corentin · April 10, 2018, 7:30am

Ok, but I do not understand why when, I test with the ip without the port graylog 9000 the https work.
request (https://192.168.1.1)
Result :

And for the request (https://192.168.1.1:9000)

Result :
We can not safely access this page
This site uses outdated or insecure TLS security settings. If the problem persists, try contacting the owner.

jan · April 10, 2018, 8:53am

I think on port 443 you have some kind of web server running (nginx or apache) and on port 9000 you have graylog handling the web traffic itself.

You might need to adjust the ciphers for your environment ( http://docs.graylog.org/en/2.4/pages/securing.html#configuring-tls-ciphers )

Corentin · April 10, 2018, 9:54am

Https now work on 192.168.1.1:9000 but I see the default httpd page.
Maybe a need to put a DocumentRoot option but put what path

jan · April 10, 2018, 11:01am

if you see the default document root you should need to configure your webserver in the right way:

http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#nginx

Corentin · April 10, 2018, 1:18pm

I using Apache HTTP
My config actualy is

ssl.conf:

Listen 9000 https
Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

<VirtualHost *:443>

ServerName 192.168.1.1
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

SSLCertificateFile /etc/certfiles/graylog.cert.pem
SSLCertificateKeyFile /etc/certfiles/graylog.pkcs8-plain.key.pem

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost *:9000>

    ServerName 192.168.1.1
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol             all -SSLv3
    SSLCipherSuite        HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA    
    SSLHonorCipherOrder     on
    SSLProtocol all -SSLv2
    SSLCertificateFile /etc/certfiles/graylog.cert.pem
    SSLCertificateKeyFile /etc/certfiles/graylog.pkcs8-plain.key.pem


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
#    <Proxy *>
#        Order deny,allow
#        Allow from all
#    </Proxy>
#
#    <Location />
#        RequestHeader set X-Graylog-Server-URL "https://192.168.1.1/api/"
#        ProxyPass http:///192.168.1.1:9000/
#        ProxyPassReverse http://192.168.1.1:9000/
#    </Location>
(I have commented on these lines because I'm not sure to need that)
</VirtualHost>

And Server.conf :


web_listen_uri = https://192.168.1.1:9000/api/
web_endpoint_uri = https://192.168.1.1:9000/api/
web_enable_tls = true
web_tls_cert_file = /etc/certfiles/graylog.cert.pem
web_tls_key_file = /etc/certfiles/graylog.pkcs8-plain.key.pem
web_tls_key_password = secret 

rest_listen_uri = https://192.168.1.1:9000/api/
rest_transport_uri = https://192.168.1.1:9000/api/
rest_enable_tls = true
rest_tls_cert_file = /etc/certfiles/graylog.cert.pem
rest_tls_key_file = /etc/certfiles/graylog.pkcs8-plain.key.pem
rest_tls_key_password = secret

it doesn’t work, but I don’t see what is wrong.

jan · April 10, 2018, 1:42pm

please read: http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#making-the-web-interface-work-with-load-balancers-proxies

adjust it to your environment and use the configuration example provided ( http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html#apache-httpd-2-x ) - currently you have Apache AND Graylog listening on port 9000 - which isn’t possible in a common linux setup (on the same interface/ip).

Corentin · April 12, 2018, 2:18pm

I read that, I tried but it does not work I leave the https aside for the moment.
For graylog httpd is useless i can remove this package no ?

jochen · April 12, 2018, 2:57pm

If you don’t want to use Apache httpd as a reverse proxy for Graylog, it’s not required and you could remove it from your machine.

system · April 26, 2018, 3:07pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
HTTPS GrayLog Issue version 3.3.1 Graylog Central (peer support)	3	350	July 28, 2020
Help please with using HTTPS on clustered Graylog Graylog Central (peer support)	6	4115	April 4, 2019
HTTPS with single node and self signed cert Graylog Central (peer support)	7	1607	February 8, 2018
Having issues enabling HTTPS on 3.2 Graylog Central (peer support)	5	857	March 17, 2020
Graylog 3.2 + https - pkix error Graylog Central (peer support)	6	1345	February 25, 2020

Configuration HTTPS

Related topics