Configure TLS = Configure HTTPS

Good morning, I have a source that needs a .pem file to configure Syslog. Do I follow this

Using HTTPS — Graylog 4.0.0 documentation?

Thank you, Zach.

Yes, and no would be the answer. If you’re using self-signed certificates, then yes. You can follow those instructions. However, if you’re using a CA that’s known (e.g., Letsencrypt, etc.), then you can add the following attributes to your server config:

http_enable_tls=true
http_tls_cert_file=/etc/graylog/ssl/fullchain.pem
http_tls_key_file=/etc/graylog/ssl/privkey.pem
http_publish_uri=https://logs00.example.com:9000/

And as long as your CA is part of the systems certificate store, it should work.

This will be a self signed cert. Hoping to set that up to access the web UI and use it for the TLS connection.

1 Like

Gotcha. So yes, in the case of a self-signed cert, you’ll follow the instructions in the doc.

1 Like

I have tried to Enable TLS, but have only succeeded in breaking my web interface when enabled

I created openssl-graylog.cnf

Ran:
openssl req -x509 -days 1825 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout graylog-pkcs5.pem -out graylog-certificate.pem

Ran:
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem

That left me with graylog-certificate.pem and graylog-key.pem

Added the following to server.conf:
http_enable_tls = true
http_tls_cert_file = /home/account/Documents/cert/graylog-certificate.pem
http_tls_key_file = /home/account/Documents/cert/graylog-key.pem
http_tls_key_password = secret

Looking at open ports, 9000 is not listed after the changes

Commenting out the lines and a reboot brings things back to normal

Thank you, Zach.

1 Like

I gave this a try with no luck

This seems very difficult just to get a self-signed cert on the Web UI.

Thank you, Zach.

1 Like

And do I need to do all this if I have a source that requires TLS? Thank you, Zach.

1 Like

@dickinsonzach, are there any entries in your server.log relating to the certificate, HTTPS, TLS, the certificate/key, etc?

Are you following the steps here?

https://docs.graylog.org/en/4.0/pages/configuration/https.html

These are the only options I have configured in my server conf relating to HTTPS and TLS.

###############
# HTTP settings
###############

 http_bind_address = 192.168.1.200:9000
 http_publish_uri = https://graylogserver.contoso.com:9000/
 http_enable_tls = true
 http_tls_cert_file = /etc/graylog/certs/domain/graylogserver.contoso.com.cer
 http_tls_key_file = /etc/graylog/certs/domain/pkcs8.pem

Notably absent is the private key secret because I don’t have a password on that file. I recall that I kept getting errors relating to accessing the file when it had a password and we decided since the file lives on the nodes in a secure environment it was an acceptable configuration.

Here’s the configuration of an input using TLS using the same certificate. Note the key password field is masked even though I’ve entered no password.

Syslog TCP with TLS Syslog TCP RUNNING
On node  867e5309 / localhost.localdomain
allow_override_date: true
bind_address: 192.168.1.200
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
number_worker_threads: 6
override_source: <empty>
port: 16514
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
tls_cert_file: /etc/graylog/certs/domain/graylogserver.contoso.com.cer
tls_client_auth: optional
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/certs/domain/pkcs8.pem
tls_key_password:********
use_null_delimiter: false

I think I did everything but

http_publish_uri = https://myserver:9000

I only did

http_bind_address = myip:9000

I thought that publish uri was only needed when using a reverse proxy. I’ll give it another go.

1 Like

Good morning, how did you end up with graylogserver.contoso.com.cer following the instructions? I don’t see a step where you end up with a .cer file.

Did you follow ALL the steps? Or are only some of them relevant? I’m thinking of the .jks and JVM stuff.

Thank you, Zach.

1 Like

I’ll have to come back to this later.

I get to:
The resulting graylog-certificate.pem and graylog-key.pem can be used in the Graylog configuration file.

And I make what I think should be the edits to the config file:
http_bind_address = servername:9000
http_publish_uri = https://servername.domain.com:9000/
http_enable_tls = true
http_tls_cert_file = /etc/ssl/certs/graylog/graylog-certificate.pem
http_tls_key_file = /etc/ssl/certs/graylog/graylog-key.pem
http_tls_key_password = secret

And it all breaks. netstat -ltup doesn’t show any of the normal ports open. 9000, 514, 5140, etc…

This seems like such a wild (simple) thing to not be able to figure out. Thank you, Zach.

1 Like

Good morning, how did you end up with graylogserver.contoso.com.cer following the instructions? I don’t see a step where you end up with a .cer file.

Our steps were slightly different because our certificate was issued via PKI.

Did you follow ALL the steps? Or are only some of them relevant? I’m thinking of the .jks and JVM stuff.

Only those relevant to our configuration.

Is there anything in your server log file indicating an issue with the certificate configuration when graylog-server starts?

This is a bit embarrassing, but without the Web UI, I don’t know where any logs are located.

What logs would I be checking?

1 Like

No need to be embarrassed. This will help you find file locations:

https://docs.graylog.org/en/4.0/pages/configuration/file_location.html#default-file-locations

/var/log/graylog-server/server.log is what I’m looking for currently. That should help you narrow down the problem.

I changed the .conf and rebooted

Unreadable or missing HTTP private key: /etc/ssl/certs/graylog/graylog-key.pem

Seems to be the relevant piece.

I have set the http_tls_key_password = in the .conf file But these sounds more like I have missed a step in the certificate creation process.

Thank you, Zach.

1 Like

Now you’ve got something to go on! May be worth testing removing the password from the key file to see if everything works then work on resolving the issue with the password on the file once you’ve demonstrated everything else is working.

I take that to mean generate the .pem file w/o a password. Not exactly sure how to that. I’m just a script kiddie following the instructions :slight_smile:

Thank you, Zach.

1 Like

You can use openssl to do it.

openssl rsa -in /etc/ssl/certs/graylog/graylog-key.pem -out /etc/ssl/certs/graylog/graylog-key-no-password.pem

Enter the password for the existing key when prompted. Then use the file with no password to test. Once you demonstrate it’s working you can focus on resolving the password issue.