Gelf Https certificate chain is not valid

innominate227 · May 1, 2024, 2:47pm

I am unable to setup a GELF HTTP input using tls. I was able to secure the graylog web interface using this guide. I thought I should be able to use the same key and cert file to secure a GELF HTTP input. However when the input receives a message I get the following error in the logs:

2024-05-01T10:28:52.118-04:00 ERROR [AbstractTcpTransport] Error creating SSL context. Make sure the certificate and key are in the correct format: cert=X.509 key=PKCS#8
2024-05-01T10:28:52.119-04:00 WARN  [ChannelInitializer] Failed to initialize a channel. Closing: [id: 0x3ab9833f, L:/10.11.12.41:12203 - R:/10.11.11.172:50197]
javax.net.ssl.SSLException: failed to set certificate and key
  at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext(ReferenceCountedOpenSslServerContext.java:138) ~[graylog.jar:?]
  at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:356) ~[graylog.jar:?]
  at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:336) ~[graylog.jar:?]
  at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:474) ~[graylog.jar:?]
  at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:610) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.createSslEngine(AbstractTcpTransport.java:377) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:338) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:334) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.NettyTransport$1.initChannel(NettyTransport.java:105) ~[graylog.jar:?]
  at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) [graylog.jar:?]
  at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) [graylog.jar:?]
  at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) [graylog.jar:?]
  at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514) [graylog.jar:?]
  at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429) [graylog.jar:?]
  at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486) [graylog.jar:?]
  at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174) [graylog.jar:?]
  at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167) [graylog.jar:?]
  at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) [graylog.jar:?]
  at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:406) [graylog.jar:?]
  at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [graylog.jar:?]
  at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [graylog.jar:?]
  at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
  at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
  at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
  at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.KeyStoreException: Certificate chain is not valid
  at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(Unknown Source) ~[?:?]
  at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(Unknown Source) ~[?:?]
  at sun.security.util.KeyStoreDelegator.engineSetKeyEntry(Unknown Source) ~[?:?]
  at java.security.KeyStore.setKeyEntry(Unknown Source) ~[?:?]
  at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:1113) ~[graylog.jar:?]
  at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext(ReferenceCountedOpenSslServerContext.java:123) ~[graylog.jar:?]
  ... 30 more

Any idea why the web interface would be able to use the certificate, but the GELF HTTP input is not?

Thanks

innominate227 · May 1, 2024, 3:16pm

I figured it out! In the Securing Graylog with TLS guide you combine the public certificate and the certificate chain files in one of the steps.

cat public.cert.pem public.chain.pem > public.pem

I was using the public.pem output from that step as the tls_cert_file for the gelf http input. However the correct file to use is the public.cert.pem file. Eg the gelf http input wants just the public certificate and not the whole chain.

system · May 15, 2024, 3:17pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GELF TCP Input Suddenly Broken Graylog Central (peer support)	5	1331	July 28, 2021
Client cert for GELF Output Graylog Central (peer support)	2	873	February 25, 2019
Cannot create input with https enabled Graylog Central (peer support)	2	987	April 17, 2020
Sending messages from one Graylog server to another Graylog server over internet using gelf output(the messages should be encrypted) Graylog Central (peer support)	3	1933	February 5, 2019
Graylog Output with TCP+TLC Graylog Central (peer support)	4	798	November 16, 2022

Gelf Https certificate chain is not valid

Related topics