Graylog-server v4.0.7-1 - unable to find valid certification path to requested target


I’ve been trying to set up a Graylog server under Debian 10, the server itself is ran behind an Nginx-based reverse proxy, over HTTPS encrypted by a self-signed SSL certificate.

The server starts up just fine and I can access the UI using the pre-configured administration account, but after configuring an input (syslog), I cannot start the input up. At that point, the server’s log contains repeating warnings -
[ProxiedResource] Unable to call /api/system/inputstates on node : PKIX path building failed: unable to find valid certification path to requested target

Naturally, I first went to try and fix this issue on my own. I followed the guide in the official documentation Here but despite passing the modified java keystore to the server (Via, the server still does not trust the certificate used.

Next, I tried following a slightly different guide here, also without success. I do get the custom keystore that I copied into the individual jvm security folders, but again, the same errors pop up.

Is there something I am doing wrong? I’d really rather have the Graylog server behind a proxy so as to facilitate simple access control through the likes of HTTP base authentication, IP whitelists, LDAP integration etc…

In case there was something I overlooked, the server’s logfile - pastebin[.]com/Uyqw6Scx


Hello And Welcome
Need to ask a couple questions.
What version of graylog are you using?
Could we see all your configuration made to set up HTTPS on your graylog server?

grep -v "^#\|^$" /etc/graylog/server/server.conf | sed -e "s/#.*$//g"

This might be a couple different things, maybe a configuration error or permissions.

Have a look at this following link maybe there is something in there that may help you out

I do feel your frustration, I also went through the same thing and many other here also. I know that everyones environment is a little bit different. What might work for one person may not work for another.

EDIT: I just seen you tried to show your log file, maybe just post it here and edit prior.

Okay, turns out I was just dumb - I had the whole /etc/graylog/* dir owned by root, and the certstore had permissions set to 640… I guess I was unaware the service created a user to run under, yet didn’t chown its own configuration directory.

Now, I got to a different, also not very verbose error:
WARN [ProxiedResource] Unable to call node-hostname/api/system/inputstates on node : Hostname node-hostname not verified:
certificate: sha256/7ioG/vspwiY73LbQU0eZKEssqNTbORTkxY1TIcZjqKI=
DN: cert-details
subjectAltNames: [WAN-IP, LAN-IP]

Current configuration: here
Current startup log: here

Also looked at that guide, however, as I do not want / need the graylog instance itself to run over HTTPS, it doesn’t seem applicable. In my case, SSL terminates on the Nginx reverse-proxy.

Thank you for the added Information.

You have some problems with your certificates. Not sure where/how you made them but double check that you have the right ones in the keystore. Also make sure Graylog has access to the keystore and the certificates.

Question: are you trying to use HTTPS or just certificates for your INPUT?

Have you seen these as shown below? I used both sites at one point which help me learn how to fix my issues maybe they will help also.

What happens when you comment this out?

http_publish_uri = https://hostname/

Okay, I finally managed to solve… Or rather, get around the issue I’m having. Even after trying the newest “easy tutorial” you’ve sent, I was unable to get the issue resolved.

My current solution was to change the http_publish_uri to – The server itself thus communicates with itself over cleartext HTTP on a local IP, while I can still access the server through the Nginx instance that just forwards the requests to the localhost-bound graylog server… Now, the server doesn’t know of any SSL dark magic, and everything seems to be working (I was finally able to start up my syslog input).

I have no idea what drawbacks this solution might have… But, gotta say… At least it seems to be working now. Thank you for the help though! :slight_smile:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.