Graylog License Reporting Failure

I have heen using http to report license usage. However, I see from Graylog 3.0.2x https is now in use. I see that on 6 August 2019, I started having problems making contact with the license checker server. Does the below mean I have to include the certificate in my Java Keystore and restart Graylog??

2019-08-19T06:33:34.616Z WARN [LicenseReportPeriodical] Unable to connect to license server: Hostname api.graylog.com not verified:
certificate: sha256/hH6LzmschrAMvuCS7FGt83m30M5nOkW++lA+wfLiUbg=
DN: CN=side.skyscraper.autodesk.com, OU=DCP-BID-Buildings, O=“Autodesk, Inc.”, L=San Rafael, ST=California, C=US
subjectAltNames: [side.skyscraper.autodesk.com].

something try to man-in-the-middle …

please see details on the license verification: http://docs.graylog.org/en/3.1/pages/enterprise/setup.html#license-verification

we use a let’s encrypt certificate on the api endpoint.

Thanks @jan I think I see something interesting. I use an IP address derived from DNS. I am not sure if that is the graylog Loadbalancer IP.

root@:centuari/home/rooter# curl -v -XGET https://api.graylog.com
Note: Unnecessary use of -X or --request, GET is already inferred.

  • Expire in 0 ms for 6 (transfer 0x556ec539c5c0)
  • Expire in 1 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 1 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 1 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 1 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 2 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Expire in 0 ms for 1 (transfer 0x556ec539c5c0)
  • Trying 54.173.32.212…
  • TCP_NODELAY set
  • Expire in 200 ms for 4 (transfer 0x556ec539c5c0)
  • Connected to api.graylog.com (54.173.32.212) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Rafael; O=Autodesk, Inc.; OU=DCP-BID-Buildings; CN=side.skyscraper.autodesk.com
  • start date: Feb 15 00:00:00 2019 GMT
  • expire date: Feb 16 12:00:00 2020 GMT
  • subjectAltName does not match api.graylog.com
  • SSL: no alternative certificate subject name matches target host name ‘api.graylog.com
  • Closing connection 0
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘api.graylog.com
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I think I see my mistakes. So I will investigate further.

I fixed the issue. I am now able to reach api.graylog.com.

I had to do a DNS lookup to get the IP address. I know this is not so reliable but I use static mapping rather than DNS at the moment.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.