Update: I found the solution, somewhat thanks to /u/jhxetc on Reddit. I went back to make sure my key formats were right, and I found the command I used to change the key into PKCS#8:
openssl pkcs8 -topk8 -inform PEM -outform PEM -in loggingKey.pem -out graylogkey.pem -nocrypt
I wasn’t paying attention and stripped the password off of the key. I was still passing the password to the private key in my graylog config file, so it was trying to decrypt an already decrypted file, which then returned nothing useful.
Good luck to anyone who finds this.
(See the reddit thread here)
I’m running Graylog server (2.4.6-1) on Ubuntu (16.04 LTS). I have another OpenSSL-based CA, which I used to generate an SSL certificate for the Graylog sever. I configured my /etc/graylog/server/server.conf to set rest_enable_tls and web_enable_tls to true, and pointed them both at my key and cert files.
After struggling through for a while, I’ve ran into a problem I don’t know how to diagnose, this one:
2018-11-02T12:43:29.396-04:00 ERROR [ServiceManager] Service JerseyService [FAILED] has failed in the STARTING state. java.io.IOException: overrun, bytes = 1197 at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:92) ~[?:1.8.0_191] at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?] at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?] at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:382) ~[graylog.jar:?] at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:206) ~[graylog.jar:?] at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:140) ~[graylog.jar:?] at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?] at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [graylog.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_191]
I’m guessing it’s not happy with my private key file for my certificate, but I don’t know what specifically it’s not happy about. Is my key format wrong? Can I go somewhere to find more information?