Graylog Unable to call https://....:9000/api [RESOLVED]

ARogovsky · March 15, 2017, 11:06am

Graylog provides https web-interface but dont able to call api https self
I was created self-signet certificate and add it to java keystore, but this is not help
There is sample logs lines:

2017-03-15_10:41:11.89999 2017-03-15 10:41:11,899 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://10.1.1.20:9000/api/system/metrics/multiple on node <64aef9c9-c5fb-4ee7-b7d3-440a0e24094b>
2017-03-15_10:41:11.90061 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

/opt/graylog/embedded/jre/bin/keytool -keystore cacerts.jks -storepass changeit -list | grep graylog-self-signed -A1
graylog-self-signed, Mar 14, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 2A:C3:8A:F3:85:22:87:3B:C9:1D:9E:03:82:18:D8:F5:9C:DC:A3:BB

So, certificate is installed.

jochen · March 15, 2017, 11:54am

Please post the complete output of the following commands:

$ echo -n | openssl s_client -connect 10.1.1.20:9000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > graylog-cert.pem
$ openssl x509 -noout -in graylog-cert.pem -fingerprint -sha1

ARogovsky · March 15, 2017, 12:34pm

root@graylog:~# echo -n | openssl s_client -connect 10.1.1.20:9000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > graylog-cert.pem
depth=0 C = UA, ST = Odessa, L = Odessa, O = mydomain.com, OU = Graylog, CN = graylog.mydomain.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = UA, ST = Odessa, L = Odessa, O = mydomain.com, OU = Graylog, CN = graylog.mydomain.com
verify return:1
DONE
root@graylog:~#  openssl x509 -noout -in graylog-cert.pem -fingerprint -sha1
SHA1 Fingerprint=41:96:FF:35:37:97:11:8C:50:22:9A:68:1E:5E:77:0D:FA:A5:42:DE

jochen · March 15, 2017, 1:01pm

It looks like there are different X.509 certificates in your JVM key store and being used for 10.1.1.20:9000.

If it was the same certificate, the SHA1 fingerprint should be identical.

ARogovsky · March 15, 2017, 1:01pm

Thanks for advice!
I import right cert and executed again
Now I get new erroror:

2017-03-15_12:49:36.98375 2017-03-15 12:49:36,982 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://10.1.1.20:9000/api/system/metrics/multiple on node <64aef9c9-c5fb-4ee7-b7d3-440a0e24094b>
2017-03-15_12:49:36.98414 javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.1.1.20 not verified:
2017-03-15_12:49:36.98504     certificate: sha256/KRPAx4meITGjw+fnxl39zeoBUp3sgBANVSxoHYSiHYw=
2017-03-15_12:49:36.98545     DN: CN=graylog.mydomain.com, OU=Graylog, O=mydomain.com, L=Odessa, ST=Odessa, C=UA
2017-03-15_12:49:36.98578     subjectAltNames: []

Any advices?

ARogovsky · March 15, 2017, 1:15pm

I fix it myself, replace IP by domain in config
Problem is resolved

Topic		Replies	Views
Graylog HTTPS signature check failed Graylog Central (peer support)	2	1968	November 20, 2017
New Graylog Server with HTTPS Unable To Create New Input Graylog Central (peer support)	8	4831	September 21, 2017
Need help with setup commercial certificate in Graylog 4.1.x Graylog Central (peer support)	5	1526	October 20, 2021
HTTPS signature check failed Graylog Central (peer support)	3	969	April 13, 2021
Java throwing certificate errors Graylog Central (peer support)	2	1179	March 16, 2017

Graylog Unable to call https://....:9000/api [RESOLVED]

Related topics