Graylog-ctl AMI HTTPS issues


#1

Currently I am running 3 instances with the graylog ami (graylog-2.4.6-1).
2 for elastic seatch and 1 for web/mongo.

When doing a fresh install, I have no issues getting everything up and running, but whenever I attempt to add SSL, it all blows up.

Steps taken on webserver:

  • Copy SSL cert/keys into opt/graylog/conf/nginx/ca/graylog.crt and /opt/graylog/conf/nginx/ca/graylog.key
  • graylog-ctl set-admin-password
  • graylog-ctl enforce-ssl
  • graylog-ctl set-external-ip https://<domain_name>:9000/api/ (note: I’ve already with public IP as well. With or without SSL as well)
  • graylog-ctl reconfigure-as-server

(Pretty much following the directions from http://docs.graylog.org/en/2.4/pages/configuration/graylog_ctl.html#install-custom-ssl-certificates )

Once restarted it comes up and starts to load and provides the following error:
We are experiencing problems connecting to the Graylog server running on https://<domain_name>:9000/api/ . Please verify that the server is healthy and working correctly.

I’m kind of at a loss and have searched on this issue without finding a resolution.


(marius) #2

Hi,
did you follow the ‘Multi VM’ steps documented here: http://docs.graylog.org/en/2.4/pages/configuration/graylog_ctl.html#multi-vm-setup
Especially the set-cluster-master command is essential to propagate the IP addresses of all nodes in the cluster.

Another option to locate the problem would be to start with a single note that runs all services ( graylog-ctl enable-all-services followed by graylog-ctl reconfigure) if SSL and the external IP works there start to add Elasticsearch nodes to the cluster.

Cheers,
Marius


#3

Tried to run it all on one box, with the same errors. Here’s what I did (in case i missed a step)

  1. graylog-ctl cleanse
  2. graylog-ctl set-admin-password XXXXXXXX
  3. graylog-ctl set-external-ip http://<IP_ADDRESS>:9000/api/
  4. graylog-ctl reconfigure
  5. graylog-ctl status

This works fine. Status shows all services up and I can access the page. No problems. I then move my letsencrypt SSL files into the directory specified in the documents (after deleting the old ones):

  1. rm -f /opt/graylog/conf/nginx/ca/graylog.crt
  2. rm -f /opt/graylog/conf/nginx/ca/graylog.key
  3. cp /etc/letsencrypt/live/<DOMAIN_NAME>/fullchain.pem /opt/graylog/conf/nginx/ca/graylog.crt
  4. cp /etc/letsencrypt/live/<DOMAIN_NAME>/privkey.pem /opt/graylog/conf/nginx/ca/graylog.key

Now, I enforce-SSL and reconfigure.
10. graylog-ctl enforce-ssl
11. graylog-ctl reconfigure

Navigate to the sites using the domain name, and the SSL cert is valid. However, I am still receiving the following error:

We are experiencing problems connecting to the Graylog server running on http://<IP_ADDRESS>:9000/api/ . Please verify that the server is healthy and working correctly.

More details show:

Error message
Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

Original Request
GET http://<IP_ADDRESS>:9000/api/system/sessions

Status code
undefined

Full error message
Error: Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

I’ve tried the following commands (for science) with the same corresponding errors as well:

graylog-ctl set-external-ip https://<DOMAIN_NAME>:9000/api/

One thing to notes, I can get a reply when trying the following as well, so it seems like it is working over http still:

curl http://<IP_ADDRESS>:9000/api/sessions
curl http://<DOMAIN_NAME>:9000/api/sessions


(marius) #4

Looks like Nginx doesn’t like the Letsencrypt cert. Do you see any related errors in the log?


#5

While doing a cleanse to test again, somehow I actually got it working.

Only step I didn’t do was graylog-ctl set-external-ip http://<IP_ADDRESS>:9000/api/. Weird that omitting that allowed everything to work, but as long as it’s working and I can test, Im good. Thanks for the recommendations and help!