So I just setup graylog to send me email alerts to my in house and private home email server that I have been using for years for all my IOT, email alert needs, etc. However Graylog seems to not have an option to ignore the ssl cert check. What is the magic command I need to put in the server.conf to ignore the check? I can not find the command anywhere.
Using the most up to date version of graylog open on:
Linux graylog 5.10.0-24-amd64 #1 SMP Debian 5.10.179-5 (2023-08-08) x86_64 GNU/Linux
Error: Notification has email recipients and is triggered, but sending emails failed. Sending the email to the following server failed
An error occurred while trying to send an email! (triggered a few seconds ago)
The Graylog server encountered an error while trying to send an email.
This is the detailed error message: org.apache.commons.mail.EmailException:
Sending the email to the following server failed : 192.168.10.123:1025 (javax.mail.MessagingException: Could not connect to SMTP host: 192.168.10.123, port: 1025;
nested exception is: javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
My current setup is:
# Email transport
transport_email_enabled = true
transport_email_hostname = 192.168.10.123
transport_email_port = 1025
transport_email_use_auth = true
transport_email_auth_username = mypersonalemail@myemailserver.com
transport_email_auth_password = yeah, not posting that here either :-)
transport_email_from_email = mypersonalemail@myemailserver.com
# Encryption settings
#
# ATTENTION:
# Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible.
# Use SMTP with STARTTLS, see https://en.wikipedia.org/wiki/Opportunistic_TLS
transport_email_use_tls = false
# Use SMTP over SSL (SMTPS), see https://en.wikipedia.org/wiki/SMTPS
# This is deprecated on most SMTP services!
transport_email_use_ssl = true
appreciate your time on the attempt. Unfortunately transport_email_web_interface_url has nothing to do with this as that command is used for the below defined right in the config (and yes it’s on/set for me)
# Specify and uncomment this if you want to include links to the stream in your stream alert mails.
# This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
transport_email_web_interface_url = http://blah blah blah
The error is clear. It’s checking for a cert, I need graylog to NOT. There has to be a way, I mean even during lab setups, testing, etc to ignore this when not in production.
ChatGPT told me to do this: however no clue how to really implement it, or even if it will work.
Another option is to add the -k or –insecure flag to the curl command in the health_check.sh script, which will make curl ignore the certificate validation3.
I am usually super busy, hence the late reply. Was afraid of that!! Sad that a simple one liner for “ignore cert check” is not an option. I will give your suggestion a try over the next week and report back. Kinda figured it would go this way without that option in the config. Thanks again…
Holy good god that’s going to be complicated. I was hoping to simply export my asynchronous key pair on the email server (which was a click of a button) then (this is where the dumpster fire started) import the email servers public key, on the graylog server…BWHAHAHAHAAHA yeah right. There are like a ton of other steps necessary. Not sure this will ever happen for me then. Seems like I need to setup an entire internal ROOT CA server of some kind for this as well and export those chains/certs also to graylog. NOPE NOPE NOPE just tooooo much lol. on a positive side, the articles you provided were really good, thanks!
Just super disappointed again that a simple one liner in the config to “ignore cert validation check” does not exist! I still can’t believe this, that in a lab environment, an entire in house cert root ca system needs to be setup! Just boggles my mind.
I definitely understand the frustration. We know that TLS/cert management is an area of improvement for us. The good news though, or possibly the silver lining, is that once you set up the JKS once, you can just add to it as needed.
I’ve not recently tested self-signed/generated certs but my assumption is that cert can be imported into the JKS and it would work the same (validating the cert as valid as long as all other attribute are valid such as expiry time, subject, and SAN [subject alternative names such as DNS].
