Hello Mister
First thanks a lot… And then Can I follow the manual in graylog web page documents?
Uploading: image.png…
Uploading: image.png(1)…
I am stopped in Converting an Existing Java Keystore into a Private Key/Certificate Pair
Where is the java keystore?
is it in /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts ?
sorry to be so stupid, this is my new work and it is the first time that in a job they ask to myself about this things, before my jobs are change tv, repair PC, cables, adaptators etcetera but not this… Well anytime should be the first time… ok keep going to this.
I started new configuration, I am stopped in this step, Converting an Existing Java Keystore into a Private Key/Certificate Pair, I am going to follow the manual but the manual is confuse to me so …
I have to do all of this and to work in a sidecar in a client machine with filebeat configuration.
How can I see the configuration of the keys that you tell me?
this errors are in the frontend (browser) with the configuration of graylog-server is done ( in the office work) and try to receive logs from a machine with sidecar an filebeat.
Where can I get a manual with the serial steps, one to one? OH my god?

thanks best regards.

this is the error at home, sme that in the work:

my config filebeat:

the files cert.pem pkcs5-plain.pem pkcs8-encrypted.pem pkcs8-plain.pem are in /etc/graylog in the server machine and the same files in the same directory in the client machine.
Maybe could be a java problem

thanks again.

this error:

with this configuration

I am doing something wrong with this instrucctions… please help
Uso de HTTPS (graylog.org)

thanks again.

Hello @jgutie45

Just a reminder, commands and configuration may not work for you because everyone environment is a little different, keep that in mind.

Depends on the System and what JAVA version you have. First, find your version your using.

java -version

Then look for “CACERTS”

root # locate cacerts

Results

[root@graylog graylog_user]# java -version
openjdk version "11.0.17" 2022-10-18 LTS
OpenJDK Runtime Environment (Red_Hat-11.0.17.0.8-2.el7_9) (build 11.0.17+8-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-11.0.17.0.8-2.el7_9) (build 11.0.17+8-LTS, mixed mode, sharing)
[root@graylog graylog_user]# locate cacerts
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/java/cacerts
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/cacerts.backup
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.352.b08-2.el7_9.x86_64/jre/lib/security/cacerts
/usr/lib/jvm/java-11-openjdk-11.0.17.0.8-2.el7_9.x86_64/lib/security/cacerts
/usr/share/elasticsearch/jdk/lib/security/cacerts
/usr/share/opensearch/jdk/lib/security/cacerts
[root@graylog graylog_user]#

My default key store is located as shown below

/usr/lib/jvm/java-11-openjdk-11.0.17.0.8-2.el7_9.x86_64/lib/security/cacerts

Example of the steps needed. I remind you this alos depend on your setup you may want to adjust it to your needs.

1. mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/
2. openssl req -x509 -days 1095 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
3. openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
4. openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
5. openssl req -config openssl-graylog.cnf -out graylog.csr -new -newkey rsa:2048 -nodes -keyout graylog.key
6. openssl req -x509 -sha512 -nodes -days 1095 -newkey rsa:2048 -config openssl-graylog.cnf -keyout graylog.key -out graylog.crt
7. openssl req -config openssl-graylog.cnf -out graylog.csr -key graylog.key -new
8. openssl x509 -x509toreq -in graylog.crt -out graylog.csr -signkey graylog.key
9. openssl pkcs12 -export -in graylog.crt -inkey graylog.key -out keystore.pfx
10. openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
11. openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
12. openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
13. keytool -import -trustcacerts -file graylog.crt -alias graylog.enseva-labs.net -keystore graylog_keystore.jks -storepass secret
14. keytool -list -v -keystore graylog_keystore.jks -alias graylog.enseva-labs.net
15. keytool -importkeystore -srckeystore graylog_keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
16. openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
17. openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
18. cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks
19. keytool -importcert -keystore graylog.jks -storepass changeit (secret) -alias graylog.domain.com -file cert.pem

OR if you want to use the JAVA default keystore then you would want to use this command,
and again you need to change this for your setup.

keytool -importcert -keystore /usr/lib/jvm/java-11-openjdk-11.0.17.0.8-2.el7_9.x86_64/lib/security/cacerts -storepass changeit (secret) -alias graylog.domain.com -file cert.pem

If your new at creating self-sign certificates and Graylog then make sure your full path to certs are all the same configuration.

EXample:

Graylog configuration file

http_bind_address = graylog.domain.com:9000
http_publish_uri = https://graylog.domain.com:9000/
http_enable_cors = true
http_enable_tls = true
http_tls_cert_file = /etc/graylog/graylog-certificate.pem
http_tls_key_file = /etc/graylog/graylog-key.pem
http_tls_key_password = secret

Side Note:

In order for the JVM to pick up the new trust store, it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks.

Do you notice it say "NEW " keystore, then if your using the default there is no need for this configuration. you can put in the Full-path to cacerts for testing/troubleshooting.

NOTE: If you do put the passphrase on the certificates , ensure they are correct.

Next is the INPUT.

Once completed restart graylog service to ensure the certs get picked up.

First, There is no need to send a email to community members for this type of issue , please be patient, we do this for free to help others.

Second, when you are configuring HTTPS and/or TCP/TLS look at your logs, see what’s going on. For example, Restart Graylog service and tail -f /var/log/graylog.log file then watch what’s going on, there is probably a clue on what you need to do or google.

Third, there are a lot ( i.e., many) posts here about HTTPS and examples. Talk a look it may help also showing your work will help us help you, the copy & paste probably not a good idea here.

Hope that helps

Thanks Mr gsmith an sorry, all is about my job and in the jobs is to yesterday, you know.

I am going to try all that you send me.

really sorry.

Have a nice day.

Hi again

I was making all configuration and no error but graylog-server doesn´t start up
I put in this file /etc/default/graylog-server this configuration in the # Default Java options for heap and garbage collection:

Path to the java executable.

JAVA=/usr/bin/java

Default Java options for heap and garbage collection.

GRAYLOG_SERVER_JAVA_OPTS=“-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/ssl/certs/graylog/graylog.jks -Djavax.net.ssl.trustStorePassword=changeit”

Avoid endless loop with some TLSv1.3 implementations.

GRAYLOG_SERVER_JAVA_OPTS=“$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true”

Fix for log4j CVE-2021-44228

GRAYLOG_SERVER_JAVA_OPTS=“$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true”

Pass some extra args to graylog-server. (i.e. “-d” to enable debug mode)

GRAYLOG_SERVER_ARGS=“”

Program that will be used to wrap the graylog-server command. Useful to

support programs like authbind.

GRAYLOG_COMMAND_WRAPPER=“”
Sorry to ask again and again
in the server.conf I put
http_enable_tls = true
http_tls_cert_file = /etc/graylog/graylog-certificate.pem
http_tls_key_file = /etc/graylog/graylog-key.pem
http_tls_key_password = secret
If my openssl-graylog.cnf was the netx how would it be? Sorry I can not put the real country and etcetera…

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

Details about the issuer of the certificate

[req_distinguished_name]
C = US
ST = NW
L = NW
O = FMI
OU = Sistems
CN = graylog.localhost

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

IP addresses and DNS names the certificate should include

Use IP.### for IP addresses and DNS.### for DNS names,

with “###” being a consecutive number.

[alt_names]
IP.1 = 192.168.194.130
DNS.1 = graylog.localhost

THis is very awful, horrible, scary, desperating and bore… Thanks to help me, really means a lot to me.
Graylog manual is a disaster, a very high disaster.

Have a nice day, better than mine I hope so.

I copy the graylog-certificate.pem and graylog-key.pem from /etc/ssl/certs/graylog/ to /etc/graylog/
¿OK?
I am very disappointed with the graylog software.

bye, thanks, have a nice day, best regards.

Hello,

If graylog is not starting up then what does the logs show, this should give you an idea whats going on.Then we can focus on that.

This looks good, are you using you own keystore or JAVA default one called cacerts?
And do you have these setting configure?

http_bind_address = graylog.domain.com:9000
http_publish_uri = https://graylog.domain.com:9000/

If you have a dns server are these IP.1 = 192.168.194.130, DNS.1 = graylog.localhost reachable of the network?
If not you can add then to your hosts file on the Graylog server.

To be honest its not the software, it the configurations made. Need to know how all three parts work together first. The HTTPS configuration are pretty hard to get , but once you understand its a lot easier. When I first started it was a mess for weeks.

These posts help me to understand how TCP/TLS works with Graylog and how to create self-signed certificates. perhap looking over them they may help.

Hello… good mooooooooooooooorning
Graylog-server works again… I do not any things clear.
I thing I am using my own store of keys because in the file /etc/default/graylog-server I put this:

Default Java options for heap and garbage collection.

GRAYLOG_SERVER_JAVA_OPTS=“-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/ssl/certs/graylog/graylog_keystore.jks -Djavax.net.ssl.trustStorePassword=changeit”
Is it correct?

The machine where is installed graylog (192.168.194.130) is seen in all the red and it can go out to internet. the exactly configuration is:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

Details about the issuer of the certificate

[req_distinguished_name]
C = US
ST = Some-State
L = Some-City
O = My Company
OU = My Division
CN = graylog.example.com

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

IP addresses and DNS names the certificate should include

Use IP.### for IP addresses and DNS.### for DNS names,

with “###” being a consecutive number.

[alt_names]
IP.1 = 192.168.194.130
DNS.1 = graylog.example.com

DNS.1 is the name of the machice where is installed graylog-server? I am a bit confuse with this.

Now I have that configure the SIDECAR and the FILEBEAT inthe frontend, can you help me with that?

If you need anything more please tellme about that.
thanks again for all. Have a nice day. Best regards.

http_bind_address = graylog.domain.com:9000
http_publish_uri = https://graylog.domain.com:9000/
I don´t have this configured, is it essential?
will be my configuration same?

Thanks again. I am working very hard in it.

Hello

yes it is, @jgutie45 to be honest you really need to read to documentation man

• Initial Configuration

Hello, all is read but maybe I should read it very inside again.
I made the configuration like in this video:
Installing Graylog 4 with MongoDB Elasticsearch on Debian 11 - YouTube

I am going to work in it more and more.

Thanks.
Have a nice day.

Hi again MR GSMITH

I have configurated this of course, without ssl configuration all works, maybe I don´t express correctly.

http_bind_address = http://192.168.194.130:9000/
http_publish_uri = https://192.168.194.130:9000/
I have this error in the file /var/log/graylog-sidecar/sidecar.log

The front end put that all works perfect… No fails.

the /var/log/graylog-server/server.log in the server says this:

license no valid? What license? And no Inputs too, but what license?
Maybe the community software can be configured in ssl and tls mode?
Best regards.

You have to give Elastic/opensearch and Graylog the cert chain in the truststore.

sudo find / -name cacerts

sud keytool -import -keystore /Path/to/keystore -file /path/chain

The code is by default changeit

Probably the chain or the key is not in the correct format
to change this

pkcs7 in PEM

openssl pkcs7 -print_certs -in <certificatename>.p7b -out <certificatename.pem>

x509 in PEM

openssl x509 -in <certificatename.cer> -outform PEM -out <certificatename.pem>

remember to change the owner and reading writing permissions for the cert chain and the key

sudo chown graylog:graylog <private.key>
sudo chown graylog:graylog <cerificatename.pem>

sudo chmod 400 <private.key>
sudo chmod 400 <certificatename.pem>

Set the bind address in the server conf of graylog to
0.0.0.0:your Port

make sure the name the participants try to bind via https is listet in the cert as an alt name or ip
example:
http_publish_uri= https:graylog.org:8080
in the cert:
alt names: graylog.org

thanks Mister

pkcs7? But is not the format of graylog pkcs8?

I did this secuence to create certificates, is it wrong?

1. mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/

2. openssl req -x509 -days 1095 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

3. openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

4. openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

5. openssl req -config openssl-graylog.cnf -out graylog.csr -new -newkey rsa:2048 -nodes -keyout graylog.key

6. openssl req -x509 -sha512 -nodes -days 1095 -newkey rsa:2048 -config openssl-graylog.cnf -keyout graylog.key -out graylog.crt

7. openssl req -config openssl-graylog.cnf -out graylog.csr -key graylog.key -new

8. openssl x509 -x509toreq -in graylog.crt -out graylog.csr -signkey graylog.key

In the next the password is secret

9. openssl pkcs12 -export -in graylog.crt -inkey graylog.key -out keystore.pfx

In the next the password is secret too.

10. openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem

the password is secret and phrase (what ever you want) is secret too.

11. openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem

you have to put the phrase secret and the Encryption password secret again.

12. openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

Ask to you and you say YES.

13. keytool -import -trustcacerts -file graylog.crt -alias graylog.enseva-labs.net -keystore graylog_keystore.jks -storepass changeit

ask to you password changeit

14. keytool -list -v -keystore graylog_keystore.jks -alias graylog.enseva-labs.net

Ask to you two passwords, both are changeit

15. keytool -importkeystore -srckeystore graylog_keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12

te pide password que es changeit

16. openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem

ask to you a password. it is secret

17. openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

The next command in my case would be:

cp -a “/usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks

18. cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks

19. keytool -importcert -keystore graylog.jks -storepass changeit (secret) -alias graylog.domain.com -file cert.pem

I am going to make that of de permissions… Sorry to be so heavy (like steve urkell in house things).

you mean thathttp_publish_uri= https:graylog.org:9000 inside that http_publish_uri= https:graylog.org:8080 don´t?

All of that is very very confuse… Oh! my god.

best regards.

The http_publish_uri with port i used was an example. Your actual Uri will be another.
Certs are very confusing, i know.
Basicly you get a Pkcs7 cert after sending a request. I would say Pkcs8 is the same like pem and this is what graylog need.

Good morning Marvin

I am a little bit confuse with keystore and this comand

sudo keytool -import -keystore /Path/to/keystore -file /path/chain

when I execute this comand: sudo find / -name cacerts , the result is:
In the servere machine ofcourse:

/etc/ssl/certs/java/cacerts
/etc/default/cacerts
find: ‘/run/user/1000/gvfs’: Permission denied
/usr/share/elasticsearch/jdk/lib/security/cacerts
/usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts

My certs and my keys are in /etc/ssl/certs/graylog/ and all of that is
-rwxrwxrwx 1 root root 1391 Jan 24 14:46 cert.pem
-r-------- 1 graylog graylog 1717 Jan 24 14:53 graylog-certificate.pem
-rwxrwxrwx 1 root root 1391 Jan 24 14:46 graylog.crt
-rwxrwxrwx 1 root root 3552 Jan 24 14:47 graylog.csr
-rwxrwxrwx 1 root root 1398 Jan 24 14:55 graylog.jks
-rwxrwxrwx 1 root root 1704 Jan 24 14:46 graylog.key
lrwxrwxrwx 1 root root 27 Jul 22 2022 graylog-key.jks → /etc/ssl/certs/java/cacerts
-r-------- 1 graylog graylog 1874 Jan 24 14:54 graylog-key.pem
-rwxrwxrwx 1 root root 1398 Jan 24 14:49 graylog_keystore.jks
-rwxrwxrwx 1 root root 1978 Jan 24 14:48 graylog-pkcs5.pem
-rwxrwxrwx 1 root root 1398 Jan 24 14:53 keystore.p12
-rwxrwxrwx 1 root root 2589 Jan 24 14:47 keystore.pfx
-rwxrwxrwx 1 root root 604 Jan 24 14:45 openssl-graylog.cnf
-rwxrwxrwx 1 root root 1704 Jan 24 14:46 pkcs5-plain.pem
-rwxrwxrwx 1 root root 1874 Jan 24 14:46 pkcs8-encrypted.pem
-rwxrwxrwx 1 root root 1704 Jan 24 14:46 pkcs8-plain.pem

is it ok? would be better put all of this in /anotherfile/, maybe?

so, how would this comand be? sudo keytool -import -keystore /Path/to/keystore -file /path/chain

keys certs, keystores, permissions… O h my god!

best regards, have a good weekend…

yes I have plungin enterprise…

I will get a serial and TO BE CONTINUED.

Thanks to all.

Hey

That would be your JAva Default keystore.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.