Configure TLS = Configure HTTPS

I gave this a try with no luck

This seems very difficult just to get a self-signed cert on the Web UI.

Thank you, Zach.

1 Like

And do I need to do all this if I have a source that requires TLS? Thank you, Zach.

1 Like

@dickinsonzach, are there any entries in your server.log relating to the certificate, HTTPS, TLS, the certificate/key, etc?

Are you following the steps here?

https://docs.graylog.org/en/4.0/pages/configuration/https.html

These are the only options I have configured in my server conf relating to HTTPS and TLS.

###############
# HTTP settings
###############

 http_bind_address = 192.168.1.200:9000
 http_publish_uri = https://graylogserver.contoso.com:9000/
 http_enable_tls = true
 http_tls_cert_file = /etc/graylog/certs/domain/graylogserver.contoso.com.cer
 http_tls_key_file = /etc/graylog/certs/domain/pkcs8.pem

Notably absent is the private key secret because I don’t have a password on that file. I recall that I kept getting errors relating to accessing the file when it had a password and we decided since the file lives on the nodes in a secure environment it was an acceptable configuration.

Here’s the configuration of an input using TLS using the same certificate. Note the key password field is masked even though I’ve entered no password.

Syslog TCP with TLS Syslog TCP RUNNING
On node  867e5309 / localhost.localdomain
allow_override_date: true
bind_address: 192.168.1.200
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
number_worker_threads: 6
override_source: <empty>
port: 16514
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
tls_cert_file: /etc/graylog/certs/domain/graylogserver.contoso.com.cer
tls_client_auth: optional
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/certs/domain/pkcs8.pem
tls_key_password:********
use_null_delimiter: false

I think I did everything but

http_publish_uri = https://myserver:9000

I only did

http_bind_address = myip:9000

I thought that publish uri was only needed when using a reverse proxy. I’ll give it another go.

1 Like

Good morning, how did you end up with graylogserver.contoso.com.cer following the instructions? I don’t see a step where you end up with a .cer file.

Did you follow ALL the steps? Or are only some of them relevant? I’m thinking of the .jks and JVM stuff.

Thank you, Zach.

1 Like

I’ll have to come back to this later.

I get to:
The resulting graylog-certificate.pem and graylog-key.pem can be used in the Graylog configuration file.

And I make what I think should be the edits to the config file:
http_bind_address = servername:9000
http_publish_uri = https://servername.domain.com:9000/
http_enable_tls = true
http_tls_cert_file = /etc/ssl/certs/graylog/graylog-certificate.pem
http_tls_key_file = /etc/ssl/certs/graylog/graylog-key.pem
http_tls_key_password = secret

And it all breaks. netstat -ltup doesn’t show any of the normal ports open. 9000, 514, 5140, etc…

This seems like such a wild (simple) thing to not be able to figure out. Thank you, Zach.

1 Like

Good morning, how did you end up with graylogserver.contoso.com.cer following the instructions? I don’t see a step where you end up with a .cer file.

Our steps were slightly different because our certificate was issued via PKI.

Did you follow ALL the steps? Or are only some of them relevant? I’m thinking of the .jks and JVM stuff.

Only those relevant to our configuration.

Is there anything in your server log file indicating an issue with the certificate configuration when graylog-server starts?

This is a bit embarrassing, but without the Web UI, I don’t know where any logs are located.

What logs would I be checking?

1 Like

No need to be embarrassed. This will help you find file locations:

https://docs.graylog.org/en/4.0/pages/configuration/file_location.html#default-file-locations

/var/log/graylog-server/server.log is what I’m looking for currently. That should help you narrow down the problem.

I changed the .conf and rebooted

Unreadable or missing HTTP private key: /etc/ssl/certs/graylog/graylog-key.pem

Seems to be the relevant piece.

I have set the http_tls_key_password = in the .conf file But these sounds more like I have missed a step in the certificate creation process.

Thank you, Zach.

1 Like

Now you’ve got something to go on! May be worth testing removing the password from the key file to see if everything works then work on resolving the issue with the password on the file once you’ve demonstrated everything else is working.

I take that to mean generate the .pem file w/o a password. Not exactly sure how to that. I’m just a script kiddie following the instructions :slight_smile:

Thank you, Zach.

1 Like

You can use openssl to do it.

openssl rsa -in /etc/ssl/certs/graylog/graylog-key.pem -out /etc/ssl/certs/graylog/graylog-key-no-password.pem

Enter the password for the existing key when prompted. Then use the file with no password to test. Once you demonstrate it’s working you can focus on resolving the password issue.

What are the unix rights set on the private key file ? The graylog user may not have the read right.

Great question. What is the graylog user? For the OS I have root and my admin account. Thank you, Zach.

On my OS the user is called graylog.
Execute ps aux | grep graylog and you will see the user.
Execute ls -l on the private key file to display the unix rights.

Ah, cool. I’ll check it out. Thank you, Zach.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.