Graylog 2.4 Web HTTPS Login

Hello,

I’m running Graylog 2.4 and am trying to follow the document “Using HTTPS” listed here:
http://docs.graylog.org/en/2.4/pages/configuration/https.html
My host is a RHEL7.4 server, and I used the following document for the installation of Graylog2:
http://docs.graylog.org/en/2.4/pages/installation/os/centos.html - which was really simple.

I think I’m close to understanding this, but I’m missing something:

I’m able to follow this for the first couple of steps where one creates a self-signed cert, and then converts the key file from pkcs5 to pkcs8.

The next step confuses me for a couple of reasons:

• First, it mentions that “PFX files are commonly used in Microsoft Windows.” How is that relevant? Am I supposed to do something on a Windows host for this?
  -Further in that section it shows steps that involve using a “keystore.pfx” file. Where does this file come from? Was this supposed to have been generated in some other part of the documentation?
  The three commands show the creation of files I’m supposed to refer to in the server.conf file. This makes sense, but I’m stuck since I don’t know where the “keystore.pfx” file came from.

Would someone be able to give me a hint on that bit?

I have searched extensively and found plenty of references to other folks having issues with getting this working.
I found a script that generates the right files (posted by Jan Doberstein - Thank You!) and used that. Using these cert files I was able to get the Web UI running, but now I get the following error from my browser:

We are experiencing problems connecting to the Graylog server running on http://<ipaddress>:9000/api/. Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can connect to the server.

Do you need a hand? We can help you.
More details

There is no indication of an issue in /var/log/graylog-server/server.log. It just shows a normal startup.
The host is listening on the following involved ports: 9000,9200,9300.

I am admittedly not super fluent in the topic of digital certificates, but I think my main issue is that I’m simply confused by the documentation.

Does this section also need to be executed?
“Converting an existing Java Keystore to private key/certificate pair”,

Does this section also need to be executed?
"Adding a self-signed certificate to the JVM trust store"
I’m running a single graylog host, so I assume not, but would appreciate some clarification.

So far, the documentation seems really good - it’s just this bit that’s confusing me.

Relevant lines from my server.conf file:

rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/certfiles/test/<hostname>.cert.pem
rest_tls_key_file = /etc/graylog/server/certfiles/test/<hostname>.pkcs8-encrypted.key.pem
rest_tls_key_password = secret
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/certfiles/test/<hostname>.cert.pem
web_tls_key_file = /etc/graylog/server/certfiles/test/<hostname>.pkcs8-encrypted.key.pem
web_tls_key_password = secret
rest_listen_uri = http://<ip-address>:9000/api/
rest_transport_uri = http://<ip-address>:9000/api/
web_listen_uri = http://<ip-address>:9000/

Lastly, my end goal is to use my own signed digital cert. I’m trying to use the documentation to go through the steps first so I understand the process.

Thanks in advance for any guidance that might be offered.

-newstrom

Try using https:// instead of http:// in rest_listen_uri, rest_transport_uri, and web_listen_uri.

Only if you want to convert an existing Java key store into a PEM-encoded private key/certificate pair.

Yes.

Hej @newstrom

The next step confuses me for a couple of reasons:

The Documentation on this part is not a step-by-step guide as the installation guides, this parts includes all possible options and you just need to pick the steps you need. If you like, just step in and contribute to the documentation to make this more clear!

Hi,
Your suggestion of contribution is a very good one! I believe I will try do just that once I’m convince I understand the process clearly.

I have stepped through the “Adding a self-signed certificate to the JVM trust store” section and am still seeing the same message when I try to log into the web UI. Like before, there’s no indication of any issue in the server.log file either.

[root@ /]# cp /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts /etc/graylog/server/certfiles/test/cacerts.jks
[root@ /]# cd /etc/graylog/server/certfiles/test/
[root@ test]# keytool -importcert -keystore cacerts.jks -storepass changeit -alias graylog-self-signed -file .cert.pem
.
.
.
SHA1: 6F:1B:A4:D0:D6:73:AB:2B:E8:B6:DB:1B:1D:22:5B:42:60:F4:F9:B9

Trust this certificate? [no]: yes
Certificate was added to keystore
[root@ test]# keytool -keystore cacerts.jks -storepass changeit -list | grep graylog-self-signed -A1
graylog-self-signed, Feb 2, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 6F:1B:A4:D0:D6:73:AB:2B:E8:B6:DB:1B:1D:22:5B:42:60:F4:F9:B9

Is there any info I can give you?

And again - I thank you for your help!

-newstrom

I should also note that I adjusted the server.conf file as recommended, using https instead of http for the"rest_listen_uri" and “web_listen_uri” values:

rest_listen_uri = https://:9000/api/
web_listen_uri = https://:9000/

Should the “rest_transport_uri” use https as well?

Thanks!

Yes. Why would it use HTTP when everything else is using HTTPS?

I have create this little script ( https://github.com/jalogisch/bartwickelmaschine/tree/master/create_self_signed_ssl_certs ) maybe it can help you with that.

regards
Jan

Jan, I thank you again for the script. It’s what I used to create the cert files I’m currently using.

jochen, Thank you for confirming I should be using https for the rest_transport_uri value as well. You didn’t mention that in an earlier comment and I assumed you left it out purposefully.

Purposefully mentioned it here.

My mistake. I missed that as I read that line in your post.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.