I followed all the instructions on http://docs.graylog.org/en/3.2/pages/configuration/https.html#things-to-consider
including importing the certificate I issued Graylog into the JVM keystore (I would’ve imported my actual CA’s certificate, but I read that JVM can’t support 4096 bit key lengths?), and everytime Graylog tries starting it crashes with this Java exception:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:161) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_242]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_242]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_242]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_242]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_242]
at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:347) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:172) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:146) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_242]
I cannot find online what Java means in this case by “data isn’t an object ID”…
I tried the same for a Input. But still got a similar error.
2020-04-24T16:31:18.999+02:00 WARN [ChannelInitializer] Failed to initialize a channel. Closing: [id: 0x86929380, L:/xxx.xxx.xxx.xxx:5044 - R:/xxx.xxx.xxx.xxx:56551]
java.lang.IllegalArgumentException: File does not contain valid private key: /etc/graylog/server/pem_key.pk8
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:350) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:107) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.createSslEngine(AbstractTcpTransport.java:329) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:305) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:301) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.NettyTransport$1.initChannel(NettyTransport.java:105) ~[graylog.jar:?]
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) [graylog.jar:?]
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) [graylog.jar:?]
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:956) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) [graylog.jar:?]
at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:502) [graylog.jar:?]
at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:417) [graylog.jar:?]
at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:474) [graylog.jar:?]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [graylog.jar:?]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) [graylog.jar:?]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:387) [graylog.jar:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [graylog.jar:?]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_242]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_242]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_242]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_242]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_242]
at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:1072) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1133) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1113) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:348) ~[graylog.jar:?]
… 26 more
I setup a Apache as a reverse proxy for SSL, this works without any Problem.
Is there a guide I can follow?
Here: https://docs.graylog.org/en/3.2/pages/configuration/https.html#ssl-setup
But this will not work I think. Or you want Information for reverse proxy config?
Here are some specs of my test environment:
OS: CentOS Linux release 8.1.1911 (Core)
Java: openjdk version “1.8.0_242”
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
Graylog Server: 3.2.4
Hmm, that may be right! I’m using a single node setup, I think the HTTPs instructions are assuming you’re running multiple? haha
If you could share config for reverse proxy I think it’d help a ton. This will be my first time working with proxies and apache.
I use single Node for this test environment too.
https://docs.graylog.org/en/3.2/pages/configuration/web_interface.html#apache-httpd-2-x
You can use a simple config like this for Apache.
Ubuntu 18.04.4
(empty space cause my comment has to be longer than 20 characters )
You can use something like this.
ServerName your.host.name
<VirtualHost *:80>
ServerName your.host.name
Redirect / https://your.host.name
</VirtualHost>
<VirtualHost *:443>
ServerName your.host.name
ProxyRequests Off
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/your.host.name.crt
SSLCertificateKeyFile /etc/pki/tls/private/your.host.name.key
SSLCertificateChainFile /etc/pki/tls/certs/ca.crt
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "https://your.host.name/"
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</Location>
</VirtualHost>
But I hope that someone can help for the real Problem with the
data isn’t an object ID (tag = 48)
issue. I don’t know why my keyfile will not work.
Maybe @jan can help us?
Is your .key file not encrypted? If it is, shouldn’t I have to specify the password for it in here?
Key file is encrypted, like described in the doc.
X.509 for certificates and PKCS#8 for the private keys. Both are stored in PEM format.
And my ca and the cert is in the JKS cacerts for Graylog.
So, with Apache2 being the reverse proxy, does that mean I disable HTTPs for Graylog? So what’s basically happening is I’m routing secure traffic to Graylog through Apache first?
Correct, that is like I set it up. If I try to set it without a reverse proxy, I have the same problem like you.
So I go with this… but I will secure the Inputs too. So I tried this also, but get this Problem there also.
Okay. I changed Graylog to HTTP and configured Apache2 (Apache2’s service says it’s running fine" but when I try to access the hostname I get this:
This is repeating in the Apache2 error log:
AH01144: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
You have to use the right names, and the name(s) and IP(s) sould be in your cert.
Nevermind, got it. Had to enable Apache2 mod proxy_http.
It’s working!!! Thank you so much @x-wolverine-x!! You don’t know how long I’ve been working on getting Graylog to run HTTPS. You deserve a cookie my friend.
You’re welcome, that’s the way it should be in a community. But I really hope that someone can say something about the real problem. If you want to secure your Inputs too… you will encounter the problem again.
Yes, hopefully! I posted something about this months back but didn’t get much help
this is really bad… I hope it will change now