Graylog Unable to call https://....:9000/api [RESOLVED]


(A Rogovsky) #1

Graylog provides https web-interface but dont able to call api https self
I was created self-signet certificate and add it to java keystore, but this is not help
There is sample logs lines:

2017-03-15_10:41:11.89999 2017-03-15 10:41:11,899 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://10.1.1.20:9000/api/system/metrics/multiple on node <64aef9c9-c5fb-4ee7-b7d3-440a0e24094b>
2017-03-15_10:41:11.90061 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
/opt/graylog/embedded/jre/bin/keytool -keystore cacerts.jks -storepass changeit -list | grep graylog-self-signed -A1
graylog-self-signed, Mar 14, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 2A:C3:8A:F3:85:22:87:3B:C9:1D:9E:03:82:18:D8:F5:9C:DC:A3:BB

So, certificate is installed.


(Jochen) #2

Please post the complete output of the following commands:

$ echo -n | openssl s_client -connect 10.1.1.20:9000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > graylog-cert.pem
$ openssl x509 -noout -in graylog-cert.pem -fingerprint -sha1

Java throwing certificate errors
(A Rogovsky) #3
root@graylog:~# echo -n | openssl s_client -connect 10.1.1.20:9000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > graylog-cert.pem
depth=0 C = UA, ST = Odessa, L = Odessa, O = mydomain.com, OU = Graylog, CN = graylog.mydomain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = UA, ST = Odessa, L = Odessa, O = mydomain.com, OU = Graylog, CN = graylog.mydomain.com
verify return:1
DONE
root@graylog:~#  openssl x509 -noout -in graylog-cert.pem -fingerprint -sha1
SHA1 Fingerprint=41:96:FF:35:37:97:11:8C:50:22:9A:68:1E:5E:77:0D:FA:A5:42:DE

Unable to get https on graylog to work
(Jochen) #4

It looks like there are different X.509 certificates in your JVM key store and being used for 10.1.1.20:9000.

If it was the same certificate, the SHA1 fingerprint should be identical.


(A Rogovsky) #5

Thanks for advice!
I import right cert and executed again
Now I get new erroror:

2017-03-15_12:49:36.98375 2017-03-15 12:49:36,982 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://10.1.1.20:9000/api/system/metrics/multiple on node <64aef9c9-c5fb-4ee7-b7d3-440a0e24094b>
2017-03-15_12:49:36.98414 javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.1.1.20 not verified:
2017-03-15_12:49:36.98504     certificate: sha256/KRPAx4meITGjw+fnxl39zeoBUp3sgBANVSxoHYSiHYw=
2017-03-15_12:49:36.98545     DN: CN=graylog.mydomain.com, OU=Graylog, O=mydomain.com, L=Odessa, ST=Odessa, C=UA
2017-03-15_12:49:36.98578     subjectAltNames: []

Any advices?


(A Rogovsky) #6

I fix it myself, replace IP by domain in config
Problem is resolved