Graylog 3.2 + https - pkix error

Hey guys

I now that there are a bunch of question here about Graylog + HTTPs, i had read them and tryed multiple times to set this thing but i coudn’t, can you guys help?

Basically my problem is the same that was posted here Graylog 3.2 https problem (not by me)

I’m using Graylog 3.2 (original install was 3.0, fter this i did upgrade to 3.1 and now Graylog 3.2.1+dbaac33 on sv (Private Build 1.8.0_242 on Linux 5.3.0-28-generic))

My OS is " Ubuntu 18.04.4 LTS (Bionic Beaver)", VM on Hyper-V Server 2012

openssl-graylog.cnf is:

[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no # Details about the issuer of the certificate [req_distinguished_name] C = BR ST = PR L = Matriz O = My Company OU = TI CN = sv

[v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names
# IP addresses and DNS names the certificate should include # Use IP.### for IP addresses and DNS.### for DNS names, # with “###” being a consecutive number. [alt_names] IP.1 = 192.168.20.11

I used the documentation for Graylog 3.2 with https and those files were generated:

cert.pem
openssl-graylog.cnf
pkcs5-plain.pem
pkcs8-encrypted.pem
pkcs8-plain.pem

i did a copy of the cacerts file into /etc/graylog/server/cacerts.jks then imported the cert.pem

On /etc/defaults/graylog-server i added “-XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks -Djavax.net.ssl.trustStorePassword=pass”

my server.conff has:

http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/cert.pem http_tls_key_file = /etc/graylog/server/pkcs8-encrypted.pem
http_tls_key_password = pass

When i restart the graylog service i end up with "
Windows Terminal

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target"

Can you guys help?

Thanks

what is your configruation in Graylog for the http_* settings at all?

Hi @jan

I tested with:

http_bind_address = 192.168.20.11:9000
http_external_uri = https:// 192.168.20.11:9000/
http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/cert.pem
http_tls_key_file = /etc/graylog/server/pkcs8-encrypted.pem
http_tls_key_password = pass

he @gfcarvalho

that looks ok - like it should.

The question now, how did you import the cacert to the java keystore at all?

Well, first i did a copy the ‘cacerts’ file to the graylog server:

Blockquote
cp -a /etc/ssl/certs/java/cacerts /etc/graylog/server/cacerts.jks

For somereason the file permission wasn’t ok so i the /etc/graylog/server folder i used:

Blockquote
chmod --reference=server.conf cacerts.jks

And finally:

Blockquote
keytool -importcert -keystore /etc/graylog/server/cacerts.jks -storepass pass -alias graylog-self-signed -file cert.pem

On /etc/defaults/graylog-server i changed the GRAYLOG_SERVER_JAVA_OPTS to:

Blockquote
“-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNe
wGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks -Djavax.net.ssl.trustStorePassword=pass”

he @gfcarvalho

to import the CA - did you created a DER file from the capem, like I do here in the ShadowCA:

That might be the reason it is currently not working. That you do not have a x509 certificate - but that is just guessing.