Hello
i have troubles to set up tls for my graylog server.
i import the ova version 3.1 with ubuntu. Graylog works great without tls settings.
First I configured the nginx with tls - this works nice so i come to the site with tls, but the site says graylog is currently not reachable…
I also configured the server.conf file with the tls settings and added the public cert to a copy of a java certstore and added the lines “-Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacertsNEW.jks -Djavax.net.ssl.trustStorePassword=changeit” in the file /etc/default/graylog-server.
The graylog-server log says:
2019-11-03T18:05:11.127+01:00 ERROR [ServerBootstrap] Unable to shutdown properly on time. {STOPPING=[JobSchedulerService [STOPPING]], TERMINATED=[InputSetupService [TERMINATED], PeriodicalsService [TERMINATED], StreamCacheService [TERMINATED], OutputSetupService [TERMINATED], MongoDBProcessingStatusRecorderService [TERMINATED], JournalReader [TERMINATED], BufferSynchronizerService [TERMINATED], LookupTableService [TERMINATED], EtagService [TERMINATED], GracefulShutdownService [TERMINATED], ConfigurationEtagService [TERMINATED], KafkaJournal [TERMINATED]], FAILED=[JerseyService [FAILED]]}
2019-11-03T18:05:11.128+01:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:148) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_222]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_222]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_222]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_222]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_222]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_222]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_222]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_222]
at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:344) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:169) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:143) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_222]
Can anyone help me out or have any tips for me?