Graylog 3.1 setting up TLS single node

Hello

i have troubles to set up tls for my graylog server.

i import the ova version 3.1 with ubuntu. Graylog works great without tls settings.

First I configured the nginx with tls - this works nice so i come to the site with tls, but the site says graylog is currently not reachable…

I also configured the server.conf file with the tls settings and added the public cert to a copy of a java certstore and added the lines “-Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacertsNEW.jks -Djavax.net.ssl.trustStorePassword=changeit” in the file /etc/default/graylog-server.

The graylog-server log says:

2019-11-03T18:05:11.127+01:00 ERROR [ServerBootstrap] Unable to shutdown properly on time. {STOPPING=[JobSchedulerService [STOPPING]], TERMINATED=[InputSetupService [TERMINATED], PeriodicalsService [TERMINATED], StreamCacheService [TERMINATED], OutputSetupService [TERMINATED], MongoDBProcessingStatusRecorderService [TERMINATED], JournalReader [TERMINATED], BufferSynchronizerService [TERMINATED], LookupTableService [TERMINATED], EtagService [TERMINATED], GracefulShutdownService [TERMINATED], ConfigurationEtagService [TERMINATED], KafkaJournal [TERMINATED]], FAILED=[JerseyService [FAILED]]}
2019-11-03T18:05:11.128+01:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:148) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_222]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_222]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_222]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_222]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_222]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_222]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_222]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_222]
at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:344) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:169) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:143) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_222]

Can anyone help me out or have any tips for me?

what are your http_* settings in your Graylog configuration?

Hey jan thanks for your response :slight_smile:

http_bind_address = 0.0.0.0:9000

http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/certs/graylog-public.pem
http_tls_key_file = /etc/graylog/server/certs/graylog-private.pem
http_tls_key_password = password

all other settings are default

does the certificate contain all possible IPs that the Server has assigned? Because you used a wildcard for bind Graylog will use “the first” ip to set the publish uri too and if that is not included in the certificate Graylog will fail to connect to itself.

in the certificate is one ip address what I configured in the netplan

there are just 2 network interfaces up - should i add the loopback address in the certificate?

if i change the “http_bind_address” to the private address 192.168.0.99 which is in the certificate the same error comes

and the jks contain the certificate / ca that the certificate can be verified?

yes i added the public cert in the jks

happy birthday jan :smiley:

do you have any idea whats the problem is or do you have more tips?

He @happydayxxl

i checked for the error message in the stack trace and found the following:

https://knowledge.digicert.com/solution/SO874.html

maybe that is something that is related to you.

hey @jan

I checked out my jks:

Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

i used that doc to generate my key:
https://docs.graylog.org/en/3.1/pages/secure/sec_adcs_certificates.html

my error is:

Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)

one more question should the public key which i added at server.conf with out parameters “bag attributes” or “subject”?
And should it include the issuing certs as well?

Could be that my problem or is it in my jks?

sorry I do not know how to use the windows ca - maybe @Totally_Not_A_Robot can jump in?

Another useless post by Jan who wants to just get his name everywhere. The issue is if you make a new java cert file you need to set graylog to use the new java store and not the old one. It is much quicker to just ignore the docs and add it to the existing cert store and “pollute” it. (drop the .jks if it is not on the file)

Go to https://docs.graylog.org/en/3.1/pages/configuration/https.html
Then ignore “Adding a self-signed certificate to the JVM trust store”

Then instead of
$ keytool -importcert -keystore /path/to/cacerts.jks -storepass changeit -alias graylog-self-signed -file cert.pem

do
$ keytool -importcert -keystore /path/to/cacerts (the real one) -storepass changeit -alias graylog-self-signed -file cert.pem

dear @Someitadmin I just want to point friendly to our faq ( https://community.graylog.org/faq ) think about your tone and intention.

If you want to vent - do not do this in this community.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.