Graylog, LoadBalancer and SSL


#1

I have a setup with loadbalancer and three nodes. I want to achieve valid ssl traffic with signed cert. I have added link to my certs in graylog config, also added cert to java cacerts. I get error like this after startup:

2018-01-23T13:22:20.001+01:00 WARN [ProxiedResource] Unable to call https://3.graylog.my.domain:12900/api/system/metrics/multiple on node <4b24925a-5663-4818-b8d2-16413316008c>
javax.net.ssl.SSLPeerUnverifiedException: Hostname 3.graylog.my.domain not verified:
certificate: sha256/NyvFNqvPTFxZefHeNaBQ+cb6IHdC8TsKo5IKqgp0JwM=
DN: EMAILADDRESS=admin@my.domain, CN=*graylog.my.domain, OU=OU, O=O, L=L, ST=ST, C=C
subjectAltNames: []
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:308) ~[graylog.jar:?]
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:268) ~[graylog.jar:?]
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:160) ~[graylog.jar:?]
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256) ~[graylog.jar:?]
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134) ~[graylog.jar:?]
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113) ~[graylog.jar:?]
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
at org.graylog2.rest.RemoteInterfaceProvider.lambda$get$0(RemoteInterfaceProvider.java:59) ~[graylog.jar:?]
at org.graylog2.rest.RemoteInterfaceProvider.dt_access$182(RemoteInterfaceProvider.java) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) ~[graylog.jar:?]
at okhttp3.RealCall.execute(RealCall.java:77) ~[graylog.jar:?]
at retrofit2.OkHttpCall.execute(OkHttpCall.java:180) ~[graylog.jar:?]

cert in java keystore:

graylog-cert, Jan 23, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): F2:23:06:10:F0:83:34:10:9F:F4:97:78:31:2F:C8:48:2E:57:77:E3

cert for graylog

openssl x509 -in certnew.crt -text -noout -fingerprint | grep Finger
SHA1 Fingerprint=F2:23:06:10:F0:83:34:10:9F:F4:97:78:31:2F:C8:48:2E:57:77:E3


(Jochen) #2

*graylog.my.domain does not match 3.graylog.my.domain.


#3

I dont get it, did the test with graylog.my.domain:

2018-01-23T14:23:06.254+01:00 WARN [ProxiedResource] Unable to call https://graylog.my.domain:12900/api/system/metrics/multiple on node <4b24925a-5663-4818-b8d2-16413316008c>
javax.net.ssl.SSLPeerUnverifiedException: Hostname graylog.my.domain not verified:
certificate: sha256/NyvFNqvPTFxZefHeNaBQ+cb6IHdC8TsKo5IKqgp0JwM=
DN: EMAILADDRESS=admin@my.domain, CN=*graylog.my.domain, OU=OU, O=O, L=L, ST=ST, C=C
subjectAltNames: []

Wildcard in cert is forbidden? How to configure the loadbalancer with three nodes behind (cert for lb name)?

Should i change cert CN to: *.graylog.my.domain?


(Jochen) #4

This would at least match the host name 3.graylog.my.domain.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.