Error while trying to setup TLS

Hi there… I am definitely a newbie to Graylog. I am currently trying to get TLS (h t t p s) working on a fresh install. Cert setup/delpoyment is pretty new to me. I am glad this isn’t a public facing system which is best for learning in my opinion.

I followed this to get Graylog setup on a fresh built VM… (Had to put in a reply to this)

I have done very little with it so far… I have logged into and setup an account for me to use so that I am not always working as an admin within it… I wanted to get TLS setup before i get to far into my learning experience with graylog. I am trying to use the certificate that I purchased from sectigo . com. I do not want to have it facing the public internet but I do want it to have a secure login so that i know info isn’t being sent in plain text…

So… Pardon my ignorance if i am miss understanding somethings…

1. Describe your incident:
I am trying to get TLS setup for my install. I am following… (I had to put in a relpy to this)

I am at the “Import Certs” section and trying to run the following like it says…

sudo openssl x509 -inform der -in enterpriseRootCA.cer -out enterpriseRootCA.pem

and i get the following error:

gladmin@Graylog:~$ sudo openssl x509 -inform der -in enterpriseRootCA.cer -out enterpriseRootCA.pem
Could not open file or uri for loading certificate from enterpriseRootCA.cer
803B7AACD17F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
803B7AACD17F0000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(enterpriseRootCA.cer)
Unable to load certificate

I preformed the commands above this section without any issues… I did not get a value back so i did the section for…“IF the above ls command does NOT return a value, use the bundled JDK cacerts file”

2. Describe your environment:

  • OS Information: Debian 12 (Bookworm) VM

  • Package Version:
    mongodb-org/bookworm/mongodb-org/7.0,now 7.0.14
    opensearch/stable,now 2.17.0
    graylog-server/stable,now 6.0.6-1

  • Service logs, configurations, and environment variables:

gladmin@Graylog:~$ sudo journalctl -r
Sep 23 15:08:56 Graylog sudo[5003]: pam_unix(sudo:session): session opened for user root(uid=0) by gladmin(uid=1000)
Sep 23 15:08:56 Graylog sudo[5003]:  gladmin : TTY=pts/0 ; PWD=/home/gladmin ; USER=root ; COMMAND=/usr/bin/journalctl -r
Sep 23 15:08:54 Graylog sudo[5000]: pam_unix(sudo:session): session closed for user root
Sep 23 15:08:54 Graylog sudo[5000]: pam_unix(sudo:session): session opened for user root(uid=0) by gladmin(uid=1000)
Sep 23 15:08:54 Graylog sudo[5000]:  gladmin : TTY=pts/0 ; PWD=/home/gladmin ; USER=root ; COMMAND=/usr/bin/openssl x509 -inform der -in enterpriseRootCA.cer>
Sep 23 15:08:48 Graylog sudo[4996]: pam_unix(sudo:session): session closed for user root

3. What steps have you already taken to try and solve the problem?
I have googled and looked through this community for an good response regarding the “Could not open file or uri for loading certificate from enterpriseRootCA.cer +graylog”. I have also tried to find and up-to-date youtube video for setting up TLS for a graylog 6 install which i did not find.

4. How can the community help?
I am needing some guidance on what to do regarding the error i am currently getting.

-getting message saying that I can’t have more then 2 urls when I am only using 2 urls… :confused:

Debian Install guide that I used…
https://go2docs.graylog.org/current/downloading_and_installing_graylog/debian_installation.htm

TLS install guide that I am using…

Since I haven’t been able to get anywhere with the “Securing Graylog with TLS” guide… I found this guide under the Resources → Hardening Graylog with TLS.

I am stuck on the the part with using “keytool”…

gladmin@Graylog:~$ keytool
-bash: keytool: command not found
gladmin@Graylog:~$ ls -l /usr/share/graylog-server/jvm/bin/
total 80
-rwxr-xr-x 1 root root 16320 Sep  4 14:32 java
-rwxr-xr-x 1 root root 16336 Sep  4 14:32 jfr
-rwxr-xr-x 1 root root 16376 Sep  4 14:32 jrunscript
-rwxr-xr-x 1 root root 16336 Sep  4 14:32 keytool
-rwxr-xr-x 1 root root 16344 Sep  4 14:32 rmiregistry
gladmin@Graylog:~$ export PATH-"$PATH:/usr/share/graylog-server/jvm/bin/"
-bash: export: `PATH-/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/share/graylog-server/jvm/bin/': not a valid identifier
gladmin@Graylog:~$ sudo echo 'export PATH-"$PATH:/usr/share/graylog-server/jvm/bin"' >> ~/.bashrc
gladmin@Graylog:~$ which keytool
gladmin@Graylog:~$

I have found part of my problem. I should have used “=” instead of a “-”.

gladmin@Graylog:~$ which keytool
/usr/share/graylog-server/jvm/bin/keytool

Now, i feel like I am back to the “command not found”

gladmin@Graylog:~$ sudo keytool -storepasswd -keystore /etc/graylog/tls/graylog.jks
sudo: keytool: command not found
gladmin@Graylog:~$ sudo which keytool
gladmin@Graylog:~$


Okay. I have figured out that issue…I changed into the directory and use “./keytool” to get it to run…

gladmin@Graylog:~$cd /usr/share/graylog-server/jvm/bin
gladmin@Graylog:/usr/share/graylog-server/jvm/bin$ sudo ./keytool -storepasswd -keystore /etc/graylog/tls/graylog.jks
Enter keystore password:

I am now stuck wondering… When did I create a password for that keystore as it is not taking any of the passwords that I set during the install process. I am feeling like I might have missed something during the install steps.

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

I managed to find what the default password for it is. This allowed me to continue on. I completed the rest of that section of the video to the best of my knowledge but it does not look like the service is liking something. I have review the changes to the files and it appears to be correct for me…

Items i edited are:

/etc/graylog/server/server.conf
- http_bind_address = 0.0.0.0:443
- http_publish_uri = https://graylog.home.shanty.com/
- http_enable_tls = true
- http_tls_cert_file = /etc/graylog/tls/star.shanty.com.pem
http_tls_key_file = /etc/graylog/tls/star_shanty_com.key.enc
/etc/default/graylog-server
- GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/tls/graylog.jks"
/usr/lib/systemd/system/graylog-server.service
-This looked fine so no changes need to be made

/etc/default/graylog-server

gladmin@Graylog:~$ sudo systemctl restart graylog-server
gladmin@Graylog:~$ sudo systemctl status graylog-server
● graylog-server.service - Graylog server
     Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Tue 2024-09-24 21:41:45 UTC; 5s ago
       Docs: http://docs.graylog.org/
    Process: 5442 ExecStart=/usr/share/graylog-server/bin/graylog-server (code=exited, status=1/FAILURE)
   Main PID: 5442 (code=exited, status=1/FAILURE)
        CPU: 2.017s

Sep 24 21:41:45 Graylog systemd[1]: graylog-server.service: Consumed 2.017s CPU time.


gladmin@Graylog:~$ sudo journalctl -r
Sep 24 21:37:28 Graylog systemd[1]: graylog-server.service: Consumed 2.100s CPU time.
Sep 24 21:37:28 Graylog systemd[1]: graylog-server.service: Failed with result 'exit-code'.
Sep 24 21:37:28 Graylog systemd[1]: graylog-server.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 21:37:27 Graylog systemd[1]: Started graylog-server.service - Graylog server.
Sep 24 21:37:27 Graylog systemd[1]: graylog-server.service: Consumed 2.029s CPU time.
Sep 24 21:37:27 Graylog systemd[1]: Stopped graylog-server.service - Graylog server.
Sep 24 21:37:27 Graylog systemd[1]: graylog-server.service: Scheduled restart job, restart counter is at 128.
Sep 24 21:37:17 Graylog systemd[1]: graylog-server.service: Consumed 2.029s CPU time.
Sep 24 21:37:17 Graylog systemd[1]: graylog-server.service: Failed with result 'exit-code'.
Sep 24 21:37:17 Graylog systemd[1]: graylog-server.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 21:37:16 Graylog sudo[4774]: pam_unix(sudo:session): session closed for user root
Sep 24 21:37:16 Graylog systemd[1]: Started graylog-server.service - Graylog server.
Sep 24 21:37:16 Graylog systemd[1]: graylog-server.service: Consumed 1.965s CPU time.
Sep 24 21:37:16 Graylog systemd[1]: Stopped graylog-server.service - Graylog server.
Sep 24 21:37:16 Graylog sudo[4774]: pam_unix(sudo:session): session opened for user root(uid=0) by gladmin(uid=1000)
Sep 24 21:37:16 Graylog sudo[4774]:  gladmin : TTY=pts/0 ; PWD=/home/gladmin ; USER=root ; COMMAND=/usr/bin/systemctl restart graylog-server
Sep 24 21:37:15 Graylog systemd[1]: graylog-server.service: Consumed 1.965s CPU time.
Sep 24 21:37:15 Graylog systemd[1]: graylog-server.service: Failed with result 'exit-code'.
Sep 24 21:37:15 Graylog systemd[1]: graylog-server.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 21:37:15 Graylog systemd[1]: Started graylog-server.service - Graylog server.
Sep 24 21:37:15 Graylog systemd[1]: graylog-server.service: Consumed 1.973s CPU time.
Sep 24 21:37:15 Graylog systemd[1]: Stopped graylog-server.service - Graylog server.
Sep 24 21:37:15 Graylog systemd[1]: graylog-server.service: Scheduled restart job, restart counter is at 127.
Sep 24 21:37:13 Graylog sudo[4732]: pam_unix(sudo:session): session closed for user root
Sep 24 21:37:13 Graylog systemd[1]: Reloading.
Sep 24 21:37:13 Graylog sudo[4732]: pam_unix(sudo:session): session opened for user root(uid=0) by gladmin(uid=1000)
Sep 24 21:37:13 Graylog sudo[4732]:  gladmin : TTY=pts/0 ; PWD=/home/gladmin ; USER=root ; COMMAND=/usr/bin/systemctl daemon-reload
Sep 24 21:37:04 Graylog systemd[1]: graylog-server.service: Consumed 1.973s CPU time.
Sep 24 21:37:04 Graylog systemd[1]: graylog-server.service: Failed with result 'exit-code'.
Sep 24 21:37:04 Graylog systemd[1]: graylog-server.service: Main process exited, code=exited, status=1/FAILURE
Sep 24 21:37:04 Graylog systemd[1]: Started graylog-server.service - Graylog server.
Sep 24 21:37:04 Graylog systemd[1]: graylog-server.service: Consumed 2.063s CPU time.
Sep 24 21:37:04 Graylog systemd[1]: Stopped graylog-server.service - Graylog server.
Sep 24 21:37:04 Graylog systemd[1]: graylog-server.service: Scheduled restart job, restart counter is at 126.
Sep 24 21:36:54 Graylog systemd[1]: graylog-server.service: Consumed 2.063s CPU time.
Sep 24 21:36:54 Graylog systemd[1]: graylog-server.service: Failed with result 'exit-code'.
Sep 24 21:36:54 Graylog systemd[1]: graylog-server.service: Main process exited, code=exited, status=1/FAILURE

I got it working and found the mistake I made. I took a command from my previous notes that I thought matched the path that I was using but it didn’t match the new paths that i was using with my new notes…

I found the mistake because I decided to do a fresh clean build just in case something from the first guide that I was using was causing an issue with the new video guide that i was using.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.