Graylog forwarder won't start when trust_chain_cert_file is set

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I am able to get my forwarder to connect to my Graylog server on a VPS, which has a letsencrypt ssl cert installed, without TLS enabled. When I enable forwarder_grpc_tls_trust_chain_cert_file = /home//fullchain.pem on the forwarder the forwarder service will not start, it starts for a moment and then fails with exit code 1.

I’m unsure what I am doing wrong here, am I using the right certificate? I’ve tried changing the owner to root and changing the permissions to 664, I just get the same issue.

If I run with TLS enabled on the forwarder starts but does not connect to the server.

Any insight would be greatly appreciated.

2. Describe your environment:

  • OS Information: Ubuntu server 22.04

  • Package Version: 5.1

  • Service logs, configurations, and environment variables:

Can be provided.

Hey @Ayy_Axtn

What do you see in any of the log files? Should be something with connection issues, etc…

This would give us a better idea on how to troubleshoot.

1 Like

Thanks @gsmith!

I found the log file for my forwarder (/var/log/graylog-forwarder) and saw that it was unable to open the fullchain.pem file, I moved the certificate to /opt/graylog/tls/, checked permissions were root:root 664, updated the config with the new location, and restarted the forwarder.

This fixed my issue, looks like Ubuntu doesn’t let services read from the home directory I guess!

Thanks again!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.