Graylog not able to communicate secured elasticsearch(Searchguard)


(Ganeshbabu Ramamoorthy) #1

Hi All,

I have secured my elasticsearch cluster using searchguard and I initialized the searchguard with elasticsearch, so I am using the below credentials for Elasticsearch authentication,
Username:- admin
Password:- xxxx

Below is the sample curl command to check the ES indices with credentials,

graylogssl@graylogssl:~$ curl --insecure -u admin:xxxx 'https://graylogssl:9200/_cat/indices?v'
health status index        uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   searchguard  49ABoGl1TI28NG03y-NVNw   1   0          0            0     48.2kb         48.2kb
green  open   smartthink_0 0R1FILEqRFqIHYQ78s0YfA   4   0    1136852            0    886.2mb        886.2mb
green  open   graylog_0    5uU2btTlS0GVxygUPNl0MQ   4   0      21629            0     18.3mb         18.3mb

I used the same username & password in my graylog server.conf file as like below.

elasticsearch_hosts = https://admin:xxxx@graylogssl:9200

But however I am getting below exception in server.log and it looks like graylog is not able to communicate elasticsearch with the credentials,

2018-02-06 07:44:32,719 ERROR: org.graylog2.indexer.cluster.Cluster - Couldn't read cluster health for indices [graylog_*, smartthink_*] (sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
2018-02-06 07:44:32,719 INFO : org.graylog2.periodical.IndexerClusterCheckerThread - Indexer not fully initialized yet. Skipping periodic cluster check.
2018-02-06 07:44:33,304 WARN : org.graylog2.migrations.V20161130141500_DefaultStreamRecalcIndexRanges - Interrupted or timed out waiting for Elasticsearch cluster, checking again.
2018-02-06 07:45:02,715 ERROR: org.graylog2.indexer.cluster.Cluster - Couldn't read cluster health for indices [graylog_*, smartthink_*] (sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
2018-02-06 07:45:02,715 INFO : org.graylog2.periodical.IndexerClusterCheckerThread - Indexer not fully initialized yet. Skipping periodic cluster check.

Please kindly share your thoughts and correct me if I am doing anything in the configuration.

Thanks,
Ganeshbabu R


(Jochen) #2

You have to add the self-signed certificate (or your custom CA) to the JVM trust store.
http://docs.graylog.org/en/2.4/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store


(Ganeshbabu Ramamoorthy) #3

@jochen,
Does it mandatory to have Self Signed certificates for my graylog application?

since I have generated pem certificates & key files for only elasticsearch cluster.

Please correct me if I am wrong.

Regards,
Ganeshbabu R


(Jochen) #4

No, but you’re using a self-signed certificate (i. e. an untrusted certificate chain) in your Elasticsearch cluster which is what Graylog complains about.


(Ganeshbabu Ramamoorthy) #5

Thanks @jochen for helping out…

I have added my self signed certificate to the JVM trust store and it’s connected to elasticsearch without any issues.

Regards,
Ganeshbabu R


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.