Hello,
I’m running Graylog 2.4 and am trying to follow the document “Using HTTPS” listed here:
http://docs.graylog.org/en/2.4/pages/configuration/https.html
My host is a RHEL7.4 server, and I used the following document for the installation of Graylog2:
http://docs.graylog.org/en/2.4/pages/installation/os/centos.html - which was really simple.
I think I’m close to understanding this, but I’m missing something:
I’m able to follow this for the first couple of steps where one creates a self-signed cert, and then converts the key file from pkcs5 to pkcs8.
The next step confuses me for a couple of reasons:
- First, it mentions that “PFX files are commonly used in Microsoft Windows.” How is that relevant? Am I supposed to do something on a Windows host for this?
-Further in that section it shows steps that involve using a “keystore.pfx” file. Where does this file come from? Was this supposed to have been generated in some other part of the documentation?
The three commands show the creation of files I’m supposed to refer to in the server.conf file. This makes sense, but I’m stuck since I don’t know where the “keystore.pfx” file came from.
Would someone be able to give me a hint on that bit?
I have searched extensively and found plenty of references to other folks having issues with getting this working.
I found a script that generates the right files (posted by Jan Doberstein - Thank You!) and used that. Using these cert files I was able to get the Web UI running, but now I get the following error from my browser:
We are experiencing problems connecting to the Graylog server running on http://<ipaddress>:9000/api/. Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can connect to the server.
Do you need a hand? We can help you.
More details
There is no indication of an issue in /var/log/graylog-server/server.log. It just shows a normal startup.
The host is listening on the following involved ports: 9000,9200,9300.
I am admittedly not super fluent in the topic of digital certificates, but I think my main issue is that I’m simply confused by the documentation.
Does this section also need to be executed?
“Converting an existing Java Keystore to private key/certificate pair”,
Does this section also need to be executed?
"Adding a self-signed certificate to the JVM trust store"
I’m running a single graylog host, so I assume not, but would appreciate some clarification.
So far, the documentation seems really good - it’s just this bit that’s confusing me.
Relevant lines from my server.conf file:
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/certfiles/test/<hostname>.cert.pem
rest_tls_key_file = /etc/graylog/server/certfiles/test/<hostname>.pkcs8-encrypted.key.pem
rest_tls_key_password = secret
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/certfiles/test/<hostname>.cert.pem
web_tls_key_file = /etc/graylog/server/certfiles/test/<hostname>.pkcs8-encrypted.key.pem
web_tls_key_password = secret
rest_listen_uri = http://<ip-address>:9000/api/
rest_transport_uri = http://<ip-address>:9000/api/
web_listen_uri = http://<ip-address>:9000/
Lastly, my end goal is to use my own signed digital cert. I’m trying to use the documentation to go through the steps first so I understand the process.
Thanks in advance for any guidance that might be offered.
-newstrom