Unless and until Graylog updates their documentation or builds a certificate replacement script, if you’re running on CentOS 7.9, once you enable tls, you cannot change the key passphrase because its used for both the pk8 certificate and the elasticsearch keystore.
@dscryber - Can you make sure the Doc Dudes see this?
Yes, Thanks, @tmacgbay
Thanks for post. Can you give more information about your post? I’ve forwarded to documentation and they’re unclear about what prompted you to post this. They want to help, but they’re wondering if you’re saying that the documentation should include a note that if you’re running on CentOS7.9, you will not be able to change the key passphrase because it is used for both pk8 certification and the elastic search keystore? Or are you asking for more information?
Please describe as best you can what you were attempting to do when you realized this issue?
I was replacing an expired certificate. I chose a new key passphrase to generate the new certificate, After updating the certificate files (.pem and .pk8) and updating /etc/graylog/server/server.conf with the new key passphrase, the service fails to start.
if I create the .pk8 file using the previous key passphrase, and reset /etc/graylog/server/server.conf, the service starts normally with the new certificate files.
Just chimming in, what passphrase are you using for your Keystore (i.e., cacerts)?
8 lower-case letters…
My appologies, I should have been more specific. When changing the passphrase, i.e., secret in Graylogs config file to something else, i.e,. changeit. By chance do you know if Graylog can access the keystore stil for these certificates?
yes, i replaced the cert by copying the expired cert to a backup, and then I edited it and replaced the contects with the new cert, so its access permissions should not have changed.