Gelf Https certificate chain is not valid

innominate227 · May 1, 2024, 2:47pm

I am unable to setup a GELF HTTP input using tls. I was able to secure the graylog web interface using this guide. I thought I should be able to use the same key and cert file to secure a GELF HTTP input. However when the input receives a message I get the following error in the logs:

2024-05-01T10:28:52.118-04:00 ERROR [AbstractTcpTransport] Error creating SSL context. Make sure the certificate and key are in the correct format: cert=X.509 key=PKCS#8
2024-05-01T10:28:52.119-04:00 WARN  [ChannelInitializer] Failed to initialize a channel. Closing: [id: 0x3ab9833f, L:/10.11.12.41:12203 - R:/10.11.11.172:50197]
javax.net.ssl.SSLException: failed to set certificate and key
  at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext(ReferenceCountedOpenSslServerContext.java:138) ~[graylog.jar:?]
  at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:356) ~[graylog.jar:?]
  at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:336) ~[graylog.jar:?]
  at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:474) ~[graylog.jar:?]
  at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:610) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.createSslEngine(AbstractTcpTransport.java:377) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:338) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:334) ~[graylog.jar:?]
  at org.graylog2.plugin.inputs.transports.NettyTransport$1.initChannel(NettyTransport.java:105) ~[graylog.jar:?]
  at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) [graylog.jar:?]
  at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) [graylog.jar:?]
  at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) [graylog.jar:?]
  at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) [graylog.jar:?]
  at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514) [graylog.jar:?]
  at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429) [graylog.jar:?]
  at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486) [graylog.jar:?]
  at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174) [graylog.jar:?]
  at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167) [graylog.jar:?]
  at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) [graylog.jar:?]
  at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:406) [graylog.jar:?]
  at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [graylog.jar:?]
  at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [graylog.jar:?]
  at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
  at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
  at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
  at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.KeyStoreException: Certificate chain is not valid
  at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(Unknown Source) ~[?:?]
  at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(Unknown Source) ~[?:?]
  at sun.security.util.KeyStoreDelegator.engineSetKeyEntry(Unknown Source) ~[?:?]
  at java.security.KeyStore.setKeyEntry(Unknown Source) ~[?:?]
  at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:1113) ~[graylog.jar:?]
  at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext(ReferenceCountedOpenSslServerContext.java:123) ~[graylog.jar:?]
  ... 30 more

Any idea why the web interface would be able to use the certificate, but the GELF HTTP input is not?

Thanks

innominate227 · May 1, 2024, 3:16pm

I figured it out! In the Securing Graylog with TLS guide you combine the public certificate and the certificate chain files in one of the steps.

cat public.cert.pem public.chain.pem > public.pem

I was using the public.pem output from that step as the tls_cert_file for the gelf http input. However the correct file to use is the public.cert.pem file. Eg the gelf http input wants just the public certificate and not the whole chain.

system · May 15, 2024, 3:17pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GELF TCP Input Suddenly Broken Graylog Central (peer support)	5	1303	July 28, 2021
Cannot create input with https enabled Graylog Central (peer support)	2	985	April 17, 2020
Graylog not accepting messages over encrypted GELF Graylog Central (peer support)	2	1018	June 20, 2018
Client auth enabled not working with Letsencrypt certificate Graylog Central (peer support)	25	2370	July 16, 2019
Graylog TLS Input setup questions Graylog Central (peer support)	1	202	March 6, 2024

Gelf Https certificate chain is not valid

Related Topics