Error after upgrade from 6.0 to 6.1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
After upgrading to 6.1 I cannot access the search page or dashboards, hangs on updating search results and then this is taking a bit longer. Using Apache as proxy in front of graylog no tls set up on graylog. Started after upgrading the Ubuntu package to 6.1

2. Describe your environment:

  • OS Information: Ubuntu 22.04 LTS

  • Package Version:6.1.4-2

  • Service logs, configurations, and environment variables:
    from server.log
    2024-12-06T07:25:30.392-06:00 WARN [ProxiedResource] Failed to call API on node , cause: None of the TrustManagers trust this certificate chain. (duration: 8 ms)

3. What steps have you already taken to try and solve the problem?
Imported CA into the truststore as advised by mutiple searches. Restarted Graylog and full server. I have been unable to find an answer via searches.
Checked server.conf to make sure publish url had not changed.

4. How can the community help?
Any chance someone has seen this same issue that can point me at what to look at for a fix. Searches have given somewhat incomplete answers, mostly about adding the CA cert to the truststore which I have completed but still no luck in accessing search.

Thank you in advance.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Sorry for the noise. I had a typo in the JAVA opts line that it was not reading the truststore file that I created.

1 Like

Hey @gcstech

Are you certain TLS is not enabled on within your server.conf? Could you post a redacted version of your server.conf?

Could you tell me exactly what you did? I’m lost with this error.

Regards.

Will do the best I can. The fix came from this page
https://graylog.org/post/how-to-guide-securing-graylog-with-tls/

I am running mine through Apache proxy with an internal certificate authority. What I needed to do was to add the CA file for my authority to the truststore and then configure graylog to use it.

Starting under the Java Key Store section

sudo cp /usr/share/graylog-server/jvm/lib/security/cacerts /etc/graylog/graylog.jks
sudo chown graylog:graylog /etc/graylog/graylog.jks
sudo keytool -importcert -keystore /etc/graylog/graylog.jks -storepass changeit -alias cachain -file /etc/graylog/enterpriseRootCA.pem

with enterpriseRootCA.pem being my certficate authority file

Then follow the instructions on that page under Configure Graylog adding the -Djavax.net.ssl.trustStore=/etc/graylog/graylog.jks to the
GRAYLOG_SERVER_JAVA_OPTS line

GRAYLOG_SERVER_JAVA_OPTS=“-Xms8g -Xmx8g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/graylog.jks”

That got me functioning again after I fixed a typo in the /etc/default/graylog-server file.

Phil

1 Like

Thank you very much. I will try it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.