Graylog 3.2 HTTPS private key issue

Hi,

I referred this resource url https://docs.graylog.org/en/3.2/pages/configuration/https.html#ssl-setup for setting up Graylog web browsing into https mode.

did the following steps in order to generate the self-signed-certificate & private key

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out graylog-cert.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -out graylog-key.pem -passout pass:secret

cp -a /usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.242.b08-0.el8_1.x86_64/lib/security/cacerts /etc/ssl/certs/cacerts.jks

keytool -importcert -keystore /etc/ssl/certs/cacerts.jks -storepass changeit -alias graylog-self-signed -file graylog-cert.pem

Finally did the config change into the server.conf and /etc/sysconfig/graylog-server

reloaded the deamon and startign the graylog-server.service its throwing error as below

ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/ssl/certs/graylog-key.pem

I’m not sure why I’m getting the error on the graylog-key.pem

Can you help me? If this gets fixed my cluster will be up with https mode.

And

And many more if you search here.
Maybe all the same, and this is a old problem, but still no comment from graylog.

Hi,

I tried to use the HAProxy and configure the https for the web interface.
I tried to browse after the configuration but unable to access the site via https.

My HAproxy Config code. Am i missing anything.

frontend graylog_https

    bind 192.168.1.50:443 ssl crt /etc/ssl/certs/collector.pem ciphers !aNULL:!MD5:AES128+EECDH:AES128+EDH:!RC4  no-sslv3
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    acl is_graylog hdr_dom(host) -i -m str graylogcollector.example.corp
    use_backend graylog if is_graylog

    # Distinguish between secure and insecure requests
    acl secure dst_port eq 443
    # Mark all cookies as secure if sent over SSL
    rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
    # Add the HSTS header with a 1 year max-age
    rspadd Strict-Transport-Security:\ max-age=0

backend graylog

    description     The Graylog Secure Web backend.
    redirect scheme https if !{ ssl_fc }
    mode http
    balance roundrobin
    option httpchk HEAD /api/system/lbstatus
    http-request set-header X-Graylog-Server-URL https://graylogcollector.example.corp
    server graylog1 192.168.1.101:9000 maxconn 20 check
    server graylog2 192.168.1.102:9000 maxconn 20 check

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.