Enabling HTTPS for the Web GUI fails when using secured pk8 key file


Dear Graylog Team and Community

Today I installed graylog 2.4.6 on Ubuntu 18.04 LTS Server, by following the documented steps.
Everything went fine apart of the HTTPS configuration.

Following the documentation: http://docs.graylog.org/en/2.4/pages/configuration/https.html and using the provided script: https://github.com/jalogisch/bartwickelmaschine/blob/master/create_self_signed_ssl_certs/create_ssl_certs.sh failed as well.

First I created my own certificates, then I used the script, but as I mentioned both ways failed.
In both Scenarios the private key is in pk8 Format secured by a Password.
This Password is provided in the Server.conf file:
web_tls_key_password = secret
rest_tls_key_password = secret

When starting the Server, it drops an error message, even with the certificates generated with the provided script:

2018-07-27T17:20:18.405Z ERROR [ServiceManager] Service JerseyService [FAILED] has failed in the STARTING state.
java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_171]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_171]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_171]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_171]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_171]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_171]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_171]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_171]
at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:382) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:206) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:140) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]

But when using the same key without a pasword protection and uncommenting the “tls_key_password” Option, the Server starts successfully.

Not sure if something is wrong with the password secured pk8 file or if it is a kind of bug.

Anyway when reading several community topics and the provided documentation, there seems to be room for some improvement :slight_smile:

Cheers, Andreas

(Jan Doberstein) #2

He Andreas,

feel free to improve the documentation, that is - same as the software - open source.

Not sure if you found a solution, or opened a bug issue over at github. Maybe you can share any kind of further action. That would give others the option to learn.