Graylog 3.2 HTTPS private key issue

Graylog Central (peer support)
1

Hi,

I referred this resource url https://docs.graylog.org/en/3.2/pages/configuration/https.html#ssl-setup for setting up Graylog web browsing into https mode.

did the following steps in order to generate the self-signed-certificate & private key

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out graylog-cert.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -out graylog-key.pem -passout pass:secret

cp -a /usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.242.b08-0.el8_1.x86_64/lib/security/cacerts /etc/ssl/certs/cacerts.jks

keytool -importcert -keystore /etc/ssl/certs/cacerts.jks -storepass changeit -alias graylog-self-signed -file graylog-cert.pem

Finally did the config change into the server.conf and /etc/sysconfig/graylog-server

reloaded the deamon and startign the graylog-server.service its throwing error as below

ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/ssl/certs/graylog-key.pem

I’m not sure why I’m getting the error on the graylog-key.pem

Can you help me? If this gets fixed my cluster will be up with https mode.

2

And

And many more if you search here.
Maybe all the same, and this is a old problem, but still no comment from graylog.

3

Hi,

I tried to use the HAProxy and configure the https for the web interface.
I tried to browse after the configuration but unable to access the site via https.

My HAproxy Config code. Am i missing anything.

frontend graylog_https

    bind 192.168.1.50:443 ssl crt /etc/ssl/certs/collector.pem ciphers !aNULL:!MD5:AES128+EECDH:AES128+EDH:!RC4  no-sslv3
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    acl is_graylog hdr_dom(host) -i -m str graylogcollector.example.corp
    use_backend graylog if is_graylog

    # Distinguish between secure and insecure requests
    acl secure dst_port eq 443
    # Mark all cookies as secure if sent over SSL
    rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
    # Add the HSTS header with a 1 year max-age
    rspadd Strict-Transport-Security:\ max-age=0

backend graylog

    description     The Graylog Secure Web backend.
    redirect scheme https if !{ ssl_fc }
    mode http
    balance roundrobin
    option httpchk HEAD /api/system/lbstatus
    http-request set-header X-Graylog-Server-URL https://graylogcollector.example.corp
    server graylog1 192.168.1.101:9000 maxconn 20 check
    server graylog2 192.168.1.102:9000 maxconn 20 check
4
5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.