Graylog 3.2 PKCS8 Encrypted Key Issue

Graylog Central (peer support)
1

Ran in to an issue configuring HTTPS on Graylog 3.2 when it comes to the PKCS8 key. When starting the server, receive an error message in log for JerseyService:

“Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)”

I’ve come across numerous other posts from earlier this year for the same issue in 3.2. The solution the majority of the time was to re-run the openssl conversion and create a plain unencrypted PKCS8 key.

From a security standpoint - is this safe? Wouldn’t it be preferred to use an encrypted key instead? Does anyone know of a better workaround or fix to this issue?

Thanks.

1 Like
2

First and final bump, to see if anyone has any thoughts or suggestions about this. This seems important and it’s concerning that this has been avoided for many months.

3

what steps did you have done to create the key?

Is this a self signed certificate? How is that created?

4

I followed the provided documentation to create a self-signed certificate. I followed all commands and instructions. Others have done the same and have had the same issue:
https://docs.graylog.org/en/3.2/pages/configuration/https.html

I understand, from seeing many of your previous comments on other posts, that this is not preferred, and that it’s safer to use an issued certificate from a CA. I would argue that some people in certain environments do not have access to a CA and that a self-signed cert is their only option. I have not seen posts from previous versions of Graylog with this issue, at least not at the frequency that the current version has experienced.

5

There are similar problems on all of this post. The only solution is to remove the password from the key.
So that should be a fundamental problem.

https://community.graylog.org/t/graylog-3-2-https-private-key-issue/15355/3
https://community.graylog.org/t/ssl-tls-for-input-problem/15177/5
https://community.graylog.org/t/graylog-crashes-on-startup-if-https-is-enabled/15133/22

6

It makes no different if it’s self signed certificate or not. I don’t use a self signed certificate, and hat the same problem.

1 Like
7

I can confirm this bug. Java 8 and 11 cannot handle most (or all?) encrypted pkcs8 keys.
I’m currently working on a fix.

2 Likes
8

I also found a workaround (see issue comment)

1 Like
9

Thank you for this Information, I can go with this workaround until a fix will be there. :slight_smile:

1 Like
10

Thank you @mpfz0r @x-wolverine-x @jan. I appreciate it!

11

Hello everybody,

I have wasted a lot of time with this problem, and when I had finally discover how to proceed and go to open a post about this to comment my way to proceed I found this thread.

The problem when used encrypted pkcs8 certs:
Caused by: java.io.IOException: ObjectIdentifier () - data isn’t an object ID (tag = 48)

Just use the plain text file generated with:
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

Remember to change http_tls_key_file and comment http_tls_key_password:
http_tls_key_file = / your-cert-path / pkcs8-plain.pem
Comment: # http_tls_key_password =

You can make your key encrypted with:
openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 -in pkcs5-plain.pem -out file-encrypted.pem -passout pass: yourpasswordhere

You should also check that the certificate files have read permissions and belong to graylog user:
chown graylog: graylog cert-files.

Best Regards.

12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.