Docker-compose - Trusted CA Signed SSL Certificates but "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Deploying the following docker-compose with a Trusted CA Signed SSL Certificates I get error to start inputs
(but messages are received) and other operations (e.g. /system/archives) with

2022-04-08 09:33:36,898 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://192.168.0.4:9000/api/system/metrics/multiple on node <d57c0b62-616c-437d-b0db-157f81192c7e>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In practice: the address of the certificate (with actual IP) does not correspond to the one graylog addresses (a docker local IP).

The docker-compose uses

version: '2'
services:
  mongodb: 
    image: mongo:4.2 
    volumes:
        - /data/mongo_db:/data/db
  elasticsearch: 
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    volumes:
      - /data/elasticsearch:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
  graylog:
    image: graylog/graylog-enterprise:4.2 
    volumes:
      - /data/graylog:/usr/share/graylog/data
      - /data/certs:/data/certs
      - /data/support_data:/data/support_data
    environment:
      - GRAYLOG_PASSWORD_SECRET=XXX
      - GRAYLOG_ROOT_PASSWORD_SHA2=YYY
      - GRAYLOG_HTTP_EXTERNAL_URI=https://mysite.com:9000/
      - GRAYLOG_WEB_ENDPOINT_URI=https://mysite.com:9000/api
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_ROOT_TIMEZONE=Europe/Rome
      - GRAYLOG_HTTP_ENABLE_TLS=true
      - GRAYLOG_HTTP_TLS_CERT_FILE=/data/certs/mysite.cer
      - GRAYLOG_HTTP_TLS_KEY_FILE=/data/certs/mysite.key
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    links:
      - mongodb:mongo
      - elasticsearch
    restart: always
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
      # needed ? anyway no changes in this problem
      - 443:9000

How to solve?

Thanks.

GS

Hello && Welcome @sctng

I looked over Docker-compose file. What I don’t see is the following. I can give you a couple suggestion on what to look for thou.

If you using JAVA default key store then it would be called Cacerts, If not then you have to declare it.

Example:

Keystore
-Djavax.net.ssl.trustStore=/path/to/cacerts.jks

Password
-Djavax.net.ssl.trustStorePassword=secret

I don’t see this setting.

- GRAYLOG_HTTP_PUBLISH_URI=https://10.10.10.10:9000/

Unable to find the following in the newer version of Graylog Docker, so I’m unsure.

- GRAYLOG_WEB_ENDPOINT_URI

Since HTTPS use 443 by default, perhaps something like this.

# web    
    - 443:443    

As for where the certificates are stored /data/certs/ make sure Graylog can access them.

Example:

root@graylog:/var/lib/docker/volumes/bin_graylog_data/_data# ls -al
total 52
drwxr-x--- 2 1100 1100  4096 Mar 29 22:16 .
drwx-----x 3 root root  4096 Mar 29 21:52 ..
-rw-rw-r-- 1 1100 1100 35644 Mar 29 22:16 graylog.conf
-rw-rw-r-- 1 1100 1100  1629 Mar  2 10:31 log4j2.xml
-rw-r--r-- 1 1100 1100    36 Mar 29 21:59 node-id

Graylog is running as USER graylog with the ID 1100
in Docker. That ID need to be able to read the configuration files you place into the container.

Insure you have the correct Certificate inserted in the keystore.

To Sum it up:

“unable to find valid certification path to requested target”.

• Graylog can not find where the certificates are located.
• This could be permission issue, incorrect format of the certificate ,
• Incorrect certificate inserted in the Keystore, unable to find the keystore.

I assume this worked prior to enabling HTTPS?

@sctng
Might want to check this post out also.

• [Solved] Cannot configure API address: Unable to call https://172.24.0.4:9000/api/ - #12 by dimedrol

• Healthcheck fails for graylog container, GRAYLOG_HTTP_PUBLISH_URI doesn't get set in graylog.conf - #5 by Eisscherge

• Graylog 4.2.7 + docker compose + https = semi fail - #6 by nitrogene

Solved.

The problem was using a cert without the issuer after.

Thanks.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.