Configure SSL with Chain

giveen · June 30, 2020, 2:12am

For Apache I would do this:

SSLCertificateFile /your/path/to/star_xxxxxx_edu.crt
SSLCertificateKeyFile /your/path/to/star_xxxxxxx_edu.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt

How would I put this into my Graylog conf?

ttsandrew · June 30, 2020, 7:25pm

Hello @giveen, welcome!

You will need to combine the certificates into a single file that is compatible with Graylog. This post has everything you need to know about configuring Graylog:

https://docs.graylog.org/en/3.3/pages/configuration/https.html

I recommend using OpenSSL to create your certificate chain file. I entered “how to use openssl to combine certificates into chain” into Google and it yielded many helpful results. Once your certificate is prepared follow the instructions linked above.

When we configured SSL for our deployment we had some difficulty but only due to not reading the Graylog HTTPS instructions very carefully. Once we did that it worked perfectly.

giveen · June 30, 2020, 7:44pm

Thanks @ttsandrew you have been very helpful today.

I got my certs combined earlier, but I’m graylog fails to start with errors when I enable it.

#http_publish_uri = https://graylog.xxxxxxxxxe.edu:9000/
#http_enable_tls = true
#http_tls_cert_file = /etc/graylog/server/cert/star_xxxxxxxx_edu2.pem
#http_tls_key_file = /etc/graylog/server/cert/graylog-private.pem
#http_tls_key_password = xxxxxxxxxxxxxxxxx

When I do that, I get:

2020-06-29T10:02:01.013-06:00 INFO  [NetworkListener] Started listener bound to [xx.xx.xx.58:9000]
2020-06-29T10:02:01.016-06:00 INFO  [HttpServer] [HttpServer] Started.
2020-06-29T10:02:01.017-06:00 INFO  [JerseyService] Started REST API at <xx.xx.xx.58:9000>
2020-06-29T10:02:01.018-06:00 INFO  [JerseyService] Shutting down HTTP listener at <xx.xx.xx.58:9000>
2020-06-29T10:02:01.053-06:00 INFO  [NetworkListener] Stopped listener bound to [xx.xx.xx.58:9000]
2020-06-29T10:02:21.259-06:00 ERROR [ServerBootstrap] Unable to shutdown properly on time. {STOPPING=[JobSchedulerService [STOPPING]], TERMINATED=[InputSetupService [TERMINATED], MongoDBProcessingStatusRecorderService [TERMINATED], GracefulShutdownService [TERMINATED], UrlWhitelistService [TERMINATED], StreamCacheService [TERMINATED], OutputSetupService [TERMINATED], LookupTableService [TERMINATED], EtagService [TERMINATED], PeriodicalsService [TERMINATED], ConfigurationEtagService [TERMINATED], BufferSynchronizerService [TERMINATED], KafkaJournal [TERMINATED], JournalReader [TERMINATED], JerseyService [TERMINATED]]}
2020-06-29T10:02:21.259-06:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {STARTING=[JerseyService [STARTING]], STOPPING=[InputSetupService [TERMINATED]]}
        at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:773) ~[graylog.jar:?]
        at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:585) ~[graylog.jar:?]
        at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:316) ~[graylog.jar:?]
        at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:161) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
        at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]

ttsandrew · June 30, 2020, 7:51pm

Hello @giveen!

There may be an issue with your certificate. Does it include the required SAN fields? That is what caused problems for us when we couldn’t get SSL secured services to start. In the “Using HTTPS” linked in my previous post there is a certificate request template. At the bottom is a section titled “alt_names”. Those are Subject Alternative Names (SANs). Those are required.

Also, are those sections of your config file still commented using #? If so those will need to be uncommented to be used by Graylog.

giveen · June 30, 2020, 7:56pm

Yes, @ttsandrew they are uncommented, I just did that because I reversed it so I can gain access back under http.

I’ll read up on that and I’m having a co-worker look over my work.

giveen · June 30, 2020, 8:22pm

@ttsandrew Looks like my co-worker solved it for me.

So first off

http_publish_uri = https://actualy_server_name.xxxxxxxxxxx.edu:9000/
#http_tls_key_password = LOOKS_LIKE_I_DIDNT_HAVE_A_PASSWORD

Then he modified the firewall using ‘firewall-cmd’ when I had been using iptables

ttsandrew · June 30, 2020, 8:25pm

@giveen I’m happy for you that you solved it! Thank you for sharing the solution.

system · July 14, 2020, 8:25pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configure TLS = Configure HTTPS Graylog Central (peer support)	24	9827	February 23, 2021
SSL with graylog-ctl Graylog Central (peer support)	3	407	June 28, 2018
How to setup SSL in Graylog with valid cert and key files Graylog Central (peer support)	3	6952	December 18, 2017
Https problem on Graylog 3.0 Graylog Central (peer support)	7	922	April 26, 2019
Configuration HTTPS Graylog Central (peer support)	17	4029	April 26, 2018

Configure SSL with Chain

Related Topics