Graylog and https and cert

tatuh · April 12, 2021, 2:48pm

My head is spinning so, I need to check…
I have nginx reverse proxy that serves https.
Is it correct to use that same cert and key for graylog, when enabling tls (for https traffic) ?

So when adding cert and key as serverFiles for enabling the TLS, I only need to make sure that they are in correct format?

Right?

I keep getting “Caused by: java.security.KeyException: No private key found in file: /etc/graylog/server/server.key”
But file exists. Would the execption be be same if it would be about the format?

And If I add the files as serverFiles, I guess the permissions are correct out of the box?
(graylog 1.7.9 · KongZ/kong-z)

gsmith · April 13, 2021, 1:05am

@tatuh
Hello,

Maybe I can help you on this issue.

Yes its posible to use the same certs, and I have for my lab Graylog 4.0.6 Server.
I’m using Apache, but I believe you can also use you certs with Nginx.

Yes, also depeneds on where and how you created your certs.

Can Graylog access those Certs?
What method did you use to create you Certs for Graylog?

This may help.
Caused by: java.security.KeyException: No private key found in file:

I havent used that before so I’m unsure.

sohailmeer · April 13, 2021, 5:45am

you can check with this, I’ve done the same setting from Graylog offical page and it worked for me!

server
{
listen 443 ssl http2;
server_name graylog.example.org;
# ← your SSL Settings here!

location /
{
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Graylog-Server-URL https://$server_name/;
  proxy_pass       http://127.0.0.1:9000;
}

}

tatuh · April 13, 2021, 6:24am

Thank you so much for advices.

Managed to add cert and key correctly. TLS is now enabled.

But now I’m getting “502 bad gateway - nginx”, for both http and https.

Edit: fixed the 502, needed annotation for nginx:
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol

tatuh · April 14, 2021, 2:41pm

Web interface is working now on https. But /api is failing, I quess I need to add cert JVM trust store and use it, as pointed out in documentation.

Just having trouble to add do it on k8s, makes me wonder it would be nice to have ca signed certificate. Atm, trying to follow script over here: [stable/graylog] elasticsearch and tls · Issue #17399 · helm/charts · GitHub

system · April 28, 2021, 2:41pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog behind nginx Graylog Central (peer support)	14	3766	April 28, 2021
Https troubleshooting Graylog Central (peer support)	4	701	June 2, 2020
How to setup SSL in Graylog with valid cert and key files Graylog Central (peer support)	3	6966	December 18, 2017
Graylog-certificate Graylog Central (peer support)	13	592	August 16, 2021
Question about permissions to keys and certs for HTTPS Graylog Central (peer support)	3	1438	May 21, 2020

Graylog and https and cert

Related Topics