Docker TLS Activation


#1

I have installed Graylog with Docker according to this official guide:

Docker - Graylog 2.2.1 Documentation

Now in would like to switch to HTTPS and followed the instructions here:

Using HTTPS - Graylog 2.2.1 documentation

I’m stuck with following ERROR Message:

ERROR: com.google.common.util.concurrent.ServiceManager - Service JerseyService [FAILED] has failed in the STARTING state.
graylog_1        | java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked

Created X.509 for certificates and PKCS#8 for the private key and installed in Java Keystore successfull. In first situation created a copy from original keystore described in the guide, but not sure how to set the JAVA_OPTS variable. Tried it in docker-compose.yml with

GRAYLOG_JAVA_OPTS: -Djavax.net.ssl.trustStore=/etc/ssl/certs/graylog/cacerts.jks

or

JAVA_OPTS: -Djavax.net.ssl.trustStore=/etc/ssl/certs/graylog/cacerts.jks

but without success.

In second situation i used the original keystore under

/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts

but this doesn’t worked too.

How I can resolve the InvalidKeySpecException error?


(Jochen) #2

Please describe step-by-step what you did and what the output of the respective commands has been.


#3

Ok, maybe it helps other in same situation.

Step-by-step from scratch.

Create certificates according to the guide:

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout pkcs5-plain.pem -out cert.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

Move files to /graylog/image/ssl directory on host system.

Created a docker file in /graylog/image with following:

Dockerfile

FROM graylog2/server:2.2.1-1

# Add certificates directory to graylog server
COPY ssl /usr/share/graylog/ssl

# Set owner of ssl directory to graylog
RUN chown -R graylog:graylog /usr/share/graylog/ssl/

# Add self-signed certificate into the key store
RUN keytool -importcert -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit -alias graylog-self-signed -file /usr/share/graylog/ssl/cert.pem -noprompt

Running command in directory /graylog/image/:

INPUT

docker build -t graylog-with-ssl .

OUTPUT

docker build -t graylog-with-ssl .
Sending build context to Docker daemon  21.5 kB
Step 1/4 : FROM graylog2/server:2.2.1-1
 ---> f50af4fc45e1
Step 2/4 : COPY ssl /usr/share/graylog/ssl
 ---> 4841cf76a769
Removing intermediate container 84759bb6f3bc
Step 3/4 : RUN chown -R graylog:graylog /usr/share/graylog/ssl/
 ---> Running in c6e63a90163b
 ---> d2b79c146d61
Removing intermediate container c6e63a90163b
Step 4/4 : RUN keytool -importcert -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit -alias graylog-self-signed -file /usr/share/graylog/ssl/cert.pem -noprompt
 ---> Running in 9dd95404c859
Certificate was added to keystore
 ---> 16951667e105
Removing intermediate container 9dd95404c859
Successfully built 16951667e105

Created docker-compose.yml after creating and downloading files for Persist log data:

version: '2'
services:
  mongo:
    image: "mongo:3"
    volumes:
      - /graylog/data/mongo:/data/db
  elasticsearch:
    image: "elasticsearch:2"
    command: "elasticsearch -Des.cluster.name='graylog'"
    volumes:
      - /graylog/data/elasticsearch:/usr/share/elasticsearch/data
  graylog:
    image: graylog-with-ssl
    #image: graylog2/server:2.2.1-1
    volumes:
      - /graylog/data/journal:/usr/share/graylog/data/journal
      - /graylog/config:/usr/share/graylog/data/config
      - /etc/localtime:/etc/localtime:ro
    environment:
      GRAYLOG_PASSWORD_SECRET: somepasswordpepper
      GRAYLOG_ROOT_PASSWORD_SHA2: a83e5f646129dbdbf75093914b7f383c2f7ec27b274ad80a35038f5c98a7fd4d
      GRAYLOG_WEB_ENDPOINT_URI: http://<my server ip>:9000/api/
      GRAYLOG_REST_ENABLE_TLS: "true"
      GRAYLOG_REST_TLS_CERT_FILE: /usr/share/graylog/ssl/cert.pem
      GRAYLOG_REST_TLS_KEY_FILE: /usr/share/graylog/ssl/pkcs8-encrypted.pem
      GRAYLOG_TLS_KEY_PASSWORD: secret
      GRAYLOG_WEB_ENABLE_TLS: "true"
      GRAYLOG_WEB_TLS_CERT_FILE: /usr/share/graylog/ssl/cert.pem
      GRAYLOG_WEB_TLS_KEY_FILE: /usr/share/graylog/ssl/pkcs8-encrypted.pem
      GRAYLOG_WEB_TLS_KEY_PASSWORD: secret
    depends_on:
      - mongo
      - elasticsearch
    ports:
      - "9000:9000"
      - "12201/udp:12201/udp"
      - "1514/udp:1514/udp"

And this follows in the posted error.

If I add the cert manual in the docker image in the keystore all is ok.

docker run -ti graylog-with-ssl /bin/bash

Inside the container:

INPUT

keytool -importcert -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit -alias graylog-self-signed -file /usr/share/graylog/ssl/cert.pem

OUTPUT

Owner: CN=db-5-3.womedia.de, O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
Issuer: CN=db-5-3.womedia.de, O=Internet Widgits Pty Ltd, ST=Some-State, C=DE
Serial number: d0de5d6c2f3f89e5
Valid from: Wed Mar 01 10:17:58 UTC 2017 until: Thu Mar 01 10:17:58 UTC 2018
Certificate fingerprints:
	 MD5:  8A:C0:A9:31:95:BC:F8:A4:BF:C4:8E:56:7E:3A:D0:C6
	 SHA1: 8C:E5:D7:F5:21:D7:56:77:81:FB:E7:B1:77:97:5A:81:2B:0E:69:88
	 SHA256: 78:6C:64:C5:C8:64:62:9F:21:8A:68:2A:3D:DD:1C:C3:FC:CB:A0:47:A7:8C:44:5B:6D:45:72:5F:4A:AA:17:FD
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F5 75 E9 4D 8A 66 52 8B   13 42 6F 06 D2 10 92 E6  .u.M.fR..Bo.....
0010: 96 57 78 B8                                        .Wx.
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F5 75 E9 4D 8A 66 52 8B   13 42 6F 06 D2 10 92 E6  .u.M.fR..Bo.....
0010: 96 57 78 B8                                        .Wx.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Check it.

INPUT

keytool -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit -list | grep graylog-self-signed -A1

OUTPUT

graylog-self-signed, Mar 1, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): 8C:E5:D7:F5:21:D7:56:77:81:FB:E7:B1:77:97:5A:81:2B:0E:69:88

#4

Nobody an idea?

I’m the first one who tries Graylog with TLS in Docker Containers? :slight_smile:


(Jochen) #5

You might want to use the correct setting name: GRAYLOG_REST_TLS_KEY_PASSWORD (rest_tls_key_password). :wink:


#6

You are right, big thx!

Now there is only one point left …

Used own company cert and key to get https access on graylog. It’s possible to login but not to use REST API.

Unable to call https://172.18.0.4:9000/api/system/metrics/multiple on node ... Hostname 172.18.0.4 not verified: ...

The reason is clear, but how can I use the api now?

Or do i have to create a own certificate and key like in the example and use Proxy Pass as described here?

http://docs.graylog.org/en/2.2/pages/configuration/web_interface.html#configuring-webif-nginx

But then i get ERR_CONNECTION_REFUSED

EDIT:
Set GRAYLOG_REST_TRANSPORT_URI to http://:9000/api/ follow up in

Unable to call https://<my server fqdn>:9000/system/inputstates on node ....

EDIT and RESOLVED

Last problems are firewall resulted.

I don’t know which rules … maybe docker specific, but without firewall rules i get no more errors.


(Jottschi) #7

Hi readers,
same kind of problems here. I use the docker-compose. I put the certificate and key into the exported (host)-directory.
But the WebInterface always says: cannot talk to 127.0.0.1:9000 (of course not- you are in a container!)
If I revert to unencrypted communication it works.
Is there a possibility to inject the right backend address? Some projects out there managed it. Look here: https://galaxy.ansible.com/Graylog2/graylog-ansible-role/
-README
graylog_web_endpoint_uri: ‘http://{{ ansible_host }}:9000/api/’

Putting a reverse proxy to the front of it does not really solve root of the problem.


(Jochen) #8

@jottschi Please don’t hijack old topics and open a new one instead.