Configure SSL with Chain

For Apache I would do this:

SSLCertificateFile /your/path/to/star_xxxxxx_edu.crt
SSLCertificateKeyFile /your/path/to/star_xxxxxxx_edu.key
SSLCertificateChainFile /your/path/to/DigiCertCA.crt

How would I put this into my Graylog conf?

Hello @giveen, welcome!

You will need to combine the certificates into a single file that is compatible with Graylog. This post has everything you need to know about configuring Graylog:

https://docs.graylog.org/en/3.3/pages/configuration/https.html

I recommend using OpenSSL to create your certificate chain file. I entered “how to use openssl to combine certificates into chain” into Google and it yielded many helpful results. Once your certificate is prepared follow the instructions linked above.

When we configured SSL for our deployment we had some difficulty but only due to not reading the Graylog HTTPS instructions very carefully. Once we did that it worked perfectly.

Thanks @ttsandrew you have been very helpful today.

I got my certs combined earlier, but I’m graylog fails to start with errors when I enable it.

#http_publish_uri = https://graylog.xxxxxxxxxe.edu:9000/
#http_enable_tls = true
#http_tls_cert_file = /etc/graylog/server/cert/star_xxxxxxxx_edu2.pem
#http_tls_key_file = /etc/graylog/server/cert/graylog-private.pem
#http_tls_key_password = xxxxxxxxxxxxxxxxx

When I do that, I get:

2020-06-29T10:02:01.013-06:00 INFO  [NetworkListener] Started listener bound to [xx.xx.xx.58:9000]
2020-06-29T10:02:01.016-06:00 INFO  [HttpServer] [HttpServer] Started.
2020-06-29T10:02:01.017-06:00 INFO  [JerseyService] Started REST API at <xx.xx.xx.58:9000>
2020-06-29T10:02:01.018-06:00 INFO  [JerseyService] Shutting down HTTP listener at <xx.xx.xx.58:9000>
2020-06-29T10:02:01.053-06:00 INFO  [NetworkListener] Stopped listener bound to [xx.xx.xx.58:9000]
2020-06-29T10:02:21.259-06:00 ERROR [ServerBootstrap] Unable to shutdown properly on time. {STOPPING=[JobSchedulerService [STOPPING]], TERMINATED=[InputSetupService [TERMINATED], MongoDBProcessingStatusRecorderService [TERMINATED], GracefulShutdownService [TERMINATED], UrlWhitelistService [TERMINATED], StreamCacheService [TERMINATED], OutputSetupService [TERMINATED], LookupTableService [TERMINATED], EtagService [TERMINATED], PeriodicalsService [TERMINATED], ConfigurationEtagService [TERMINATED], BufferSynchronizerService [TERMINATED], KafkaJournal [TERMINATED], JournalReader [TERMINATED], JerseyService [TERMINATED]]}
2020-06-29T10:02:21.259-06:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {STARTING=[JerseyService [STARTING]], STOPPING=[InputSetupService [TERMINATED]]}
        at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:773) ~[graylog.jar:?]
        at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:585) ~[graylog.jar:?]
        at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:316) ~[graylog.jar:?]
        at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:161) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
        at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]

Hello @giveen!

There may be an issue with your certificate. Does it include the required SAN fields? That is what caused problems for us when we couldn’t get SSL secured services to start. In the “Using HTTPS” linked in my previous post there is a certificate request template. At the bottom is a section titled “alt_names”. Those are Subject Alternative Names (SANs). Those are required.

Also, are those sections of your config file still commented using #? If so those will need to be uncommented to be used by Graylog.

Yes, @ttsandrew they are uncommented, I just did that because I reversed it so I can gain access back under http.

I’ll read up on that and I’m having a co-worker look over my work.

1 Like

@ttsandrew Looks like my co-worker solved it for me.

So first off

http_publish_uri = https://actualy_server_name.xxxxxxxxxxx.edu:9000/
#http_tls_key_password = LOOKS_LIKE_I_DIDNT_HAVE_A_PASSWORD

Then he modified the firewall using ‘firewall-cmd’ when I had been using iptables

1 Like

@giveen I’m happy for you that you solved it! Thank you for sharing the solution.

1 Like