Getting JerseySevice Errors on my SSL Certificate's Private Key


#1

Update: I found the solution, somewhat thanks to /u/jhxetc on Reddit. I went back to make sure my key formats were right, and I found the command I used to change the key into PKCS#8:

openssl pkcs8 -topk8 -inform PEM -outform PEM -in loggingKey.pem -out graylogkey.pem -nocrypt

I wasn’t paying attention and stripped the password off of the key. I was still passing the password to the private key in my graylog config file, so it was trying to decrypt an already decrypted file, which then returned nothing useful.

Good luck to anyone who finds this.
(See the reddit thread here)
Hi everyone,
I’m running Graylog server (2.4.6-1) on Ubuntu (16.04 LTS). I have another OpenSSL-based CA, which I used to generate an SSL certificate for the Graylog sever. I configured my /etc/graylog/server/server.conf to set rest_enable_tls and web_enable_tls to true, and pointed them both at my key and cert files.
After struggling through for a while, I’ve ran into a problem I don’t know how to diagnose, this one:

2018-11-02T12:43:29.396-04:00 ERROR [ServiceManager] Service JerseyService [FAILED] has failed in the STARTING state.
java.io.IOException: overrun, bytes = 1197
	at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:92) ~[?:1.8.0_191]
	at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
	at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
	at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:382) ~[graylog.jar:?]
	at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:206) ~[graylog.jar:?]
	at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:140) ~[graylog.jar:?]
	at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?]
	at com.google.common.util.concurrent.Callables$4.run(Callables.java:122) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_191] 

I’m guessing it’s not happy with my private key file for my certificate, but I don’t know what specifically it’s not happy about. Is my key format wrong? Can I go somewhere to find more information?


#2

did you copy and add the java keystore to your graylog file?

cp -a /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts /etc/graylog/certs/cacerts.jks

keytool -importcert -keystore /etc/graylog/certs/cacerts.jks -storepass changeit -alias graylog-self-signed -file cert.pem

Append -Djavax.net.ssl.trustStore to GRAYLOG_SERVER_JAVA_OPTS for the file /etc/default/graylog or where ever your /bin/graylog file is located

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx10g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/certs/cacerts.jks"