I’ve been trying to set up a Graylog server under Debian 10, the server itself is ran behind an Nginx-based reverse proxy, over HTTPS encrypted by a self-signed SSL certificate.
The server starts up just fine and I can access the UI using the pre-configured administration account, but after configuring an input (syslog), I cannot start the input up. At that point, the server’s log contains repeating warnings -
[ProxiedResource] Unable to call /api/system/inputstates on node : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Naturally, I first went to try and fix this issue on my own. I followed the guide in the official documentation Here but despite passing the modified java keystore to the server (Via -Djavax.net.ssl.trustStore), the server still does not trust the certificate used.
Next, I tried following a slightly different guide here, also without success. I do get the custom keystore that I copied into the individual jvm security folders, but again, the same errors pop up.
Is there something I am doing wrong? I’d really rather have the Graylog server behind a proxy so as to facilitate simple access control through the likes of HTTP base authentication, IP whitelists, LDAP integration etc…
In case there was something I overlooked, the server’s logfile - pastebin[.]com/Uyqw6Scx
Hello And Welcome
Need to ask a couple questions.
What version of graylog are you using?
Could we see all your configuration made to set up HTTPS on your graylog server?
grep -v "^#\|^$" /etc/graylog/server/server.conf | sed -e "s/#.*$//g"
This might be a couple different things, maybe a configuration error or permissions.
Have a look at this following link maybe there is something in there that may help you out
I do feel your frustration, I also went through the same thing and many other here also. I know that everyones environment is a little bit different. What might work for one person may not work for another.
EDIT: I just seen you tried to show your log file, maybe just post it here and edit prior.
Okay, turns out I was just dumb - I had the whole /etc/graylog/* dir owned by root, and the certstore had permissions set to 640… I guess I was unaware the service created a user to run under, yet didn’t chown its own configuration directory.
Now, I got to a different, also not very verbose error:
WARN [ProxiedResource] Unable to call node-hostname/api/system/inputstates on node : Hostname node-hostname not verified:
certificate: sha256/7ioG/vspwiY73LbQU0eZKEssqNTbORTkxY1TIcZjqKI=
DN: cert-details
subjectAltNames: [WAN-IP, LAN-IP]
Current configuration: here
Current startup log: here
Also looked at that guide, however, as I do not want / need the graylog instance itself to run over HTTPS, it doesn’t seem applicable. In my case, SSL terminates on the Nginx reverse-proxy.
You have some problems with your certificates. Not sure where/how you made them but double check that you have the right ones in the keystore. Also make sure Graylog has access to the keystore and the certificates.
Question: are you trying to use HTTPS or just certificates for your INPUT?
Have you seen these as shown below? I used both sites at one point which help me learn how to fix my issues maybe they will help also.
Okay, I finally managed to solve… Or rather, get around the issue I’m having. Even after trying the newest “easy tutorial” you’ve sent, I was unable to get the issue resolved.
My current solution was to change the http_publish_uri to http://127.0.0.1:9000 – The server itself thus communicates with itself over cleartext HTTP on a local IP, while I can still access the server through the Nginx instance that just forwards the requests to the localhost-bound graylog server… Now, the server doesn’t know of any SSL dark magic, and everything seems to be working (I was finally able to start up my syslog input).
I have no idea what drawbacks this solution might have… But, gotta say… At least it seems to be working now. Thank you for the help though!
