Configuration ssl/tls graylog https

Graylog Central (peer support)
21

Hello, all is read but maybe I should read it very inside again.
I made the configuration like in this video:
Installing Graylog 4 with MongoDB Elasticsearch on Debian 11 - YouTube

I am going to work in it more and more.

Thanks.
Have a nice day.

22

Hi again MR GSMITH

I have configurated this of course, without ssl configuration all works, maybe I don´t express correctly.

http_bind_address = http://192.168.194.130:9000/
http_publish_uri = https://192.168.194.130:9000/
I have this error in the file /var/log/graylog-sidecar/sidecar.log

image
image1380×454 91.2 KB

The front end put that all works perfect… No fails.

image
image1901×299 13.8 KB

image
image1908×180 15.9 KB

the /var/log/graylog-server/server.log in the server says this:

image
image1333×739 207 KB

license no valid? What license? And no Inputs too, but what license?
Maybe the community software can be configured in ssl and tls mode?
Best regards.

23

You have to give Elastic/opensearch and Graylog the cert chain in the truststore.

sudo find / -name cacerts

sud keytool -import -keystore /Path/to/keystore -file /path/chain

The code is by default changeit

Probably the chain or the key is not in the correct format
to change this

pkcs7 in PEM

openssl pkcs7 -print_certs -in <certificatename>.p7b -out <certificatename.pem>

x509 in PEM

openssl x509 -in <certificatename.cer> -outform PEM -out <certificatename.pem>

remember to change the owner and reading writing permissions for the cert chain and the key

sudo chown graylog:graylog <private.key>
sudo chown graylog:graylog <cerificatename.pem>

sudo chmod 400 <private.key>
sudo chmod 400 <certificatename.pem>

Set the bind address in the server conf of graylog to
0.0.0.0:your Port

make sure the name the participants try to bind via https is listet in the cert as an alt name or ip
example:
http_publish_uri= https:graylog.org:8080
in the cert:
alt names: graylog.org

1 Like
24

thanks Mister

pkcs7? But is not the format of graylog pkcs8?

I did this secuence to create certificates, is it wrong?

  1. mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/

  2. openssl req -x509 -days 1095 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

  3. openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

  4. openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

  5. openssl req -config openssl-graylog.cnf -out graylog.csr -new -newkey rsa:2048 -nodes -keyout graylog.key

  6. openssl req -x509 -sha512 -nodes -days 1095 -newkey rsa:2048 -config openssl-graylog.cnf -keyout graylog.key -out graylog.crt

  7. openssl req -config openssl-graylog.cnf -out graylog.csr -key graylog.key -new

  8. openssl x509 -x509toreq -in graylog.crt -out graylog.csr -signkey graylog.key

In the next the password is secret

  1. openssl pkcs12 -export -in graylog.crt -inkey graylog.key -out keystore.pfx

In the next the password is secret too.

  1. openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem

the password is secret and phrase (what ever you want) is secret too.

  1. openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem

you have to put the phrase secret and the Encryption password secret again.

  1. openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

Ask to you and you say YES.

  1. keytool -import -trustcacerts -file graylog.crt -alias graylog.enseva-labs.net -keystore graylog_keystore.jks -storepass changeit

ask to you password changeit

  1. keytool -list -v -keystore graylog_keystore.jks -alias graylog.enseva-labs.net

Ask to you two passwords, both are changeit

  1. keytool -importkeystore -srckeystore graylog_keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12

te pide password que es changeit

  1. openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem

ask to you a password. it is secret

  1. openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

The next command in my case would be:

cp -a “/usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks

  1. cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks

  2. keytool -importcert -keystore graylog.jks -storepass changeit (secret) -alias graylog.domain.com -file cert.pem

I am going to make that of de permissions… Sorry to be so heavy (like steve urkell in house things).

you mean thathttp_publish_uri= https:graylog.org:9000 inside that http_publish_uri= https:graylog.org:8080 don´t?

All of that is very very confuse… Oh! my god.

best regards.

25

The http_publish_uri with port i used was an example. Your actual Uri will be another.
Certs are very confusing, i know.
Basicly you get a Pkcs7 cert after sending a request. I would say Pkcs8 is the same like pem and this is what graylog need.

2 Likes
26

Good morning Marvin

I am a little bit confuse with keystore and this comand

sudo keytool -import -keystore /Path/to/keystore -file /path/chain

when I execute this comand: sudo find / -name cacerts , the result is:
In the servere machine ofcourse:

/etc/ssl/certs/java/cacerts
/etc/default/cacerts
find: ‘/run/user/1000/gvfs’: Permission denied
/usr/share/elasticsearch/jdk/lib/security/cacerts
/usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts

My certs and my keys are in /etc/ssl/certs/graylog/ and all of that is
-rwxrwxrwx 1 root root 1391 Jan 24 14:46 cert.pem
-r-------- 1 graylog graylog 1717 Jan 24 14:53 graylog-certificate.pem
-rwxrwxrwx 1 root root 1391 Jan 24 14:46 graylog.crt
-rwxrwxrwx 1 root root 3552 Jan 24 14:47 graylog.csr
-rwxrwxrwx 1 root root 1398 Jan 24 14:55 graylog.jks
-rwxrwxrwx 1 root root 1704 Jan 24 14:46 graylog.key
lrwxrwxrwx 1 root root 27 Jul 22 2022 graylog-key.jks → /etc/ssl/certs/java/cacerts
-r-------- 1 graylog graylog 1874 Jan 24 14:54 graylog-key.pem
-rwxrwxrwx 1 root root 1398 Jan 24 14:49 graylog_keystore.jks
-rwxrwxrwx 1 root root 1978 Jan 24 14:48 graylog-pkcs5.pem
-rwxrwxrwx 1 root root 1398 Jan 24 14:53 keystore.p12
-rwxrwxrwx 1 root root 2589 Jan 24 14:47 keystore.pfx
-rwxrwxrwx 1 root root 604 Jan 24 14:45 openssl-graylog.cnf
-rwxrwxrwx 1 root root 1704 Jan 24 14:46 pkcs5-plain.pem
-rwxrwxrwx 1 root root 1874 Jan 24 14:46 pkcs8-encrypted.pem
-rwxrwxrwx 1 root root 1704 Jan 24 14:46 pkcs8-plain.pem

is it ok? would be better put all of this in /anotherfile/, maybe?

so, how would this comand be? sudo keytool -import -keystore /Path/to/keystore -file /path/chain

keys certs, keystores, permissions… O h my god!

best regards, have a good weekend…

27

yes I have plungin enterprise…

image
image1914×477 46.2 KB

I will get a serial and TO BE CONTINUED.

Thanks to all.

28

Hey

That would be your JAva Default keystore.

29

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.