Graylog crashes on startup if HTTPS is enabled

I tried the same for a Input. But still got a similar error.

2020-04-24T16:31:18.999+02:00 WARN [ChannelInitializer] Failed to initialize a channel. Closing: [id: 0x86929380, L:/xxx.xxx.xxx.xxx:5044 - R:/xxx.xxx.xxx.xxx:56551]
java.lang.IllegalArgumentException: File does not contain valid private key: /etc/graylog/server/pem_key.pk8
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:350) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:107) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.createSslEngine(AbstractTcpTransport.java:329) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:305) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:301) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.NettyTransport$1.initChannel(NettyTransport.java:105) ~[graylog.jar:?]
at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) [graylog.jar:?]
at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) [graylog.jar:?]
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:956) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) [graylog.jar:?]
at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) [graylog.jar:?]
at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:502) [graylog.jar:?]
at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:417) [graylog.jar:?]
at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:474) [graylog.jar:?]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) [graylog.jar:?]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) [graylog.jar:?]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:387) [graylog.jar:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [graylog.jar:?]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_242]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_242]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_242]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_242]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_242]
at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:1072) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1133) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1113) ~[graylog.jar:?]
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:348) ~[graylog.jar:?]
… 26 more

I setup a Apache as a reverse proxy for SSL, this works without any Problem.

Is there a guide I can follow?

Here: https://docs.graylog.org/en/3.2/pages/configuration/https.html#ssl-setup
But this will not work I think. Or you want Information for reverse proxy config?

Here are some specs of my test environment:
OS: CentOS Linux release 8.1.1911 (Core)
Java: openjdk version “1.8.0_242”
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
Graylog Server: 3.2.4

Hmm, that may be right! I’m using a single node setup, I think the HTTPs instructions are assuming you’re running multiple? haha

If you could share config for reverse proxy I think it’d help a ton. This will be my first time working with proxies and apache. :slight_smile:

I use single Node for this test environment too.
https://docs.graylog.org/en/3.2/pages/configuration/web_interface.html#apache-httpd-2-x
You can use a simple config like this for Apache.

What OS are you using?

Ubuntu 18.04.4

(empty space cause my comment has to be longer than 20 characters :joy:)

You can use something like this.

ServerName your.host.name
    <VirtualHost *:80>
       ServerName your.host.name
       Redirect / https://your.host.name
    </VirtualHost>
    <VirtualHost *:443>
        ServerName your.host.name
        ProxyRequests Off
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/your.host.name.crt
        SSLCertificateKeyFile /etc/pki/tls/private/your.host.name.key
        SSLCertificateChainFile /etc/pki/tls/certs/ca.crt

        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>

        <Location />
            RequestHeader set X-Graylog-Server-URL "https://your.host.name/"
            ProxyPass http://127.0.0.1:9000/
            ProxyPassReverse http://127.0.0.1:9000/
        </Location>
    </VirtualHost>

But I hope that someone can help for the real Problem with the

data isn’t an object ID (tag = 48)

issue. I don’t know why my keyfile will not work.
Maybe @jan can help us?

Is your .key file not encrypted? If it is, shouldn’t I have to specify the password for it in here?

Key file is encrypted, like described in the doc.
X.509 for certificates and PKCS#8 for the private keys. Both are stored in PEM format.
And my ca and the cert is in the JKS cacerts for Graylog.

So, with Apache2 being the reverse proxy, does that mean I disable HTTPs for Graylog? So what’s basically happening is I’m routing secure traffic to Graylog through Apache first?

Correct, that is like I set it up. If I try to set it without a reverse proxy, I have the same problem like you.
So I go with this… but I will secure the Inputs too. So I tried this also, but get this Problem there also.

Okay. I changed Graylog to HTTP and configured Apache2 (Apache2’s service says it’s running fine" but when I try to access the hostname I get this:

This is repeating in the Apache2 error log:

AH01144: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

You have to use the right names, and the name(s) and IP(s) sould be in your cert.

Nevermind, got it. Had to enable Apache2 mod proxy_http.

It’s working!!! Thank you so much @x-wolverine-x!! You don’t know how long I’ve been working on getting Graylog to run HTTPS. You deserve a cookie my friend. :slight_smile::cookie:

You’re welcome, that’s the way it should be in a community. But I really hope that someone can say something about the real problem. If you want to secure your Inputs too… you will encounter the problem again. :frowning:

Yes, hopefully! I posted something about this months back but didn’t get much help :frowning:

:open_mouth: this is really bad… I hope it will change now :crossed_fingers:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.