Hello everyone, I followed the official Graylog installation guide and could access http://admin:IoixcXMvMs@0.0.0.0:9000 normally at first. After initializing the CA, I can no longer access the web page successfully. From the server.log, it’s a certificate-related issue. Any help would be appreciated!
Thanks,
ezy
2025-12-20T08:46:53.656Z INFO [ImmutableFeatureFlagsCollector] Following feature flags are used: {default properties file=[show_security_events_in_pedt=off, data_tiering_cloud=off, preflight_web=on, configurable_value_units=on, setup_mode=on, cloud_inputs=on, investigation_report_by_ai=on, show_executive_dashboard_page=off, collections=on, composable_index_templates=off, data_node_migration=on, remote_reindex_migration=off, instant_archiving=off, data_lake_search=on, widget_summary=on, threat_coverage=on, external_data_lake_search=on]}
2025-12-20T08:46:54.160Z INFO [CmdLineTool] Loaded plugin: AWS plugins 7.0.2+7a367fe [org.graylog.aws.AWSPlugin]
2025-12-20T08:46:54.160Z INFO [CmdLineTool] Loaded plugin: Integrations 7.0.2+7a367fe [org.graylog.integrations.IntegrationsPlugin]
2025-12-20T08:46:54.160Z INFO [CmdLineTool] Loaded plugin: Threat Intelligence Plugin 7.0.2+7a367fe [org.graylog.plugins.threatintel.ThreatIntelPlugin]
2025-12-20T08:46:54.161Z INFO [CmdLineTool] Loaded plugin: Elasticsearch 7 Support 7.0.2+7a367fe [org.graylog.storage.elasticsearch7.Elasticsearch7Plugin]
2025-12-20T08:46:54.161Z INFO [CmdLineTool] Loaded plugin: OpenSearch 2 Support 7.0.2+7a367fe [org.graylog.storage.opensearch2.OpenSearch2Plugin]
2025-12-20T08:46:54.175Z INFO [CmdLineTool] Running with JVM arguments: -Xms16g -Xmx16g -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -Dlog4j2.formatMsgNoLookups=true -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Dgraylog2.installation_source=deb
2025-12-20T08:46:54.321Z INFO [client] MongoClient with metadata {“driver”: {“name”: “mongo-java-driver|legacy”, “version”: “5.6.1”}, “os”: {“type”: “Linux”, “name”: “Linux”, “architecture”: “amd64”, “version”: “6.8.0-90-generic”}, “platform”: “Java/Eclipse Adoptium/21.0.9+10-LTS”} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=, codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@4aa21f9d, com.mongodb.Jep395RecordCodecProvider@71c17a57, com.mongodb.KotlinCodecProvider@640ab13c, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[localhost:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName=‘null’, serverSelector=‘null’, clusterListeners=‘’, serverSelectionTimeout=‘30000 ms’, localThreshold=‘15 ms’}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=, maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners=‘’, serverMonitorListeners=‘’}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName=‘null’, compressorList=, uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2025-12-20T08:46:54.323Z INFO [client] MongoClient with metadata {“driver”: {“name”: “mongo-java-driver|legacy”, “version”: “5.6.1”}, “os”: {“type”: “Linux”, “name”: “Linux”, “architecture”: “amd64”, “version”: “6.8.0-90-generic”}, “platform”: “Java/Eclipse Adoptium/21.0.9+10-LTS”} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=, codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@4aa21f9d, com.mongodb.Jep395RecordCodecProvider@71c17a57, com.mongodb.KotlinCodecProvider@640ab13c, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[localhost:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName=‘null’, serverSelector=‘null’, clusterListeners=‘’, serverSelectionTimeout=‘30000 ms’, localThreshold=‘15 ms’}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=, maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners=‘’, serverMonitorListeners=‘’}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName=‘null’, compressorList=, uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2025-12-20T08:46:54.349Z INFO [cluster] Waiting for server to become available for operation { ping: 1 } with ID 3. Remaining time: 29994 ms. Selector: ReadPreferenceServerSelector{readPreference=primary}, topology description: {type=UNKNOWN, servers=[{address=localhost:27017, type=UNKNOWN, state=CONNECTING}].
2025-12-20T08:46:54.355Z INFO [cluster] Monitor thread successfully connected to server with description ServerDescription{address=localhost:27017, type=STANDALONE, cryptd=false, state=CONNECTED, ok=true, minWireVersion=0, maxWireVersion=25, maxDocumentSize=16777216, logicalSessionTimeoutMinutes=30, roundTripTimeNanos=17732558, minRoundTripTimeNanos=0}
2025-12-20T08:46:54.412Z INFO [MongoDBPreflightCheck] Connected to MongoDB version 8.0.17
2025-12-20T08:46:54.871Z INFO [client] MongoClient with metadata {“driver”: {“name”: “mongo-java-driver|legacy”, “version”: “5.6.1”}, “os”: {“type”: “Linux”, “name”: “Linux”, “architecture”: “amd64”, “version”: “6.8.0-90-generic”}, “platform”: “Java/Eclipse Adoptium/21.0.9+10-LTS”} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=, codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@4aa21f9d, com.mongodb.Jep395RecordCodecProvider@71c17a57, com.mongodb.KotlinCodecProvider@640ab13c, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[localhost:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName=‘null’, serverSelector=‘null’, clusterListeners=‘’, serverSelectionTimeout=‘30000 ms’, localThreshold=‘15 ms’}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=, maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners=‘’, serverMonitorListeners=‘’}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName=‘null’, compressorList=, uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2025-12-20T08:46:54.872Z INFO [client] MongoClient with metadata {“driver”: {“name”: “mongo-java-driver|legacy”, “version”: “5.6.1”}, “os”: {“type”: “Linux”, “name”: “Linux”, “architecture”: “amd64”, “version”: “6.8.0-90-generic”}, “platform”: “Java/Eclipse Adoptium/21.0.9+10-LTS”} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=, codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@4aa21f9d, com.mongodb.Jep395RecordCodecProvider@71c17a57, com.mongodb.KotlinCodecProvider@640ab13c, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[localhost:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName=‘null’, serverSelector=‘null’, clusterListeners=‘’, serverSelectionTimeout=‘30000 ms’, localThreshold=‘15 ms’}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=, maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners=‘’, serverMonitorListeners=‘’}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName=‘null’, compressorList=, uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2025-12-20T08:46:54.873Z INFO [cluster] Waiting for server to become available for operation { ping: 1 } with ID 11. Remaining time: 29999 ms. Selector: ReadPreferenceServerSelector{readPreference=primary}, topology description: {type=UNKNOWN, servers=[{address=localhost:27017, type=UNKNOWN, state=CONNECTING}].
2025-12-20T08:46:54.874Z INFO [cluster] Monitor thread successfully connected to server with description ServerDescription{address=localhost:27017, type=STANDALONE, cryptd=false, state=CONNECTED, ok=true, minWireVersion=0, maxWireVersion=25, maxDocumentSize=16777216, logicalSessionTimeoutMinutes=30, roundTripTimeNanos=1927278, minRoundTripTimeNanos=0}
2025-12-20T08:46:55.005Z INFO [IndexerDiscoveryProvider] No indexer hosts configured, using fallback http://127.0.0.1:9200
2025-12-20T08:46:55.424Z INFO [ServerBootstrap] Running 2 migrations of type PREFLIGHT…
2025-12-20T08:46:55.456Z INFO [ServerBootstrap] Fresh installation detected, starting configuration webserver
2025-12-20T08:46:55.460Z INFO [PeriodicalsService] Starting 3 periodicals …
2025-12-20T08:46:55.462Z INFO [Periodicals] Starting [org.graylog2.bootstrap.preflight.GraylogCertificateProvisioningPeriodical] periodical in [2s], polling every [2s].
2025-12-20T08:46:55.463Z INFO [Periodicals] Starting [org.graylog2.events.ClusterEventPeriodical] periodical in [0s], polling every [1s].
2025-12-20T08:46:55.464Z INFO [Periodicals] Starting [org.graylog2.events.ClusterEventCleanupPeriodical] periodical in [0s], polling every [86400s].
2025-12-20T08:46:55.847Z INFO [Version] HV000001: Hibernate Validator 9.0.1.Final
2025-12-20T08:46:56.038Z INFO [NetworkListener] Started listener bound to [0.0.0.0:9000]
2025-12-20T08:46:56.039Z INFO [HttpServer] [HttpServer] Started.
2025-12-20T08:46:56.041Z INFO [PreflightJerseyService]
—
—
—
######## ### ######### ########## #### #### — .---- ----
############### ###################### ##### #### — ------------ .----------- –
################ #### ############## ######- – ---- ---- — -----
############## #### ############# ##### ----- ----------- ---------- –
############# #### ----- ----
========================================================================================================
It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has
been started. You must log in to it to perform the initial configuration and continue.
Initial configuration is accessible at 0.0.0.0:9000, with username ‘admin’ and password ‘IoixcXMvMs’.
Try clicking on http://admin:IoixcXMvMs@0.0.0.0:9000
========================================================================================================
2025-12-20T08:47:36.201Z INFO [CustomCAX509TrustManager] CA changed, refreshing trust manager
2025-12-20T08:47:43.159Z INFO [PreflightJerseyService] Shutting down HTTP listener at <0.0.0.0:9000>
2025-12-20T08:47:43.161Z INFO [Periodicals] Shutting down periodical [org.graylog2.bootstrap.preflight.GraylogCertificateProvisioningPeriodical].
2025-12-20T08:47:43.162Z INFO [Periodicals] Shutting down periodical [org.graylog2.events.ClusterEventPeriodical].
2025-12-20T08:47:43.162Z INFO [Periodicals] Shutting down periodical [org.graylog2.events.ClusterEventCleanupPeriodical].
2025-12-20T08:47:43.175Z INFO [NetworkListener] Stopped listener bound to [0.0.0.0:9000]
2025-12-20T08:47:43.408Z INFO [IndexerDiscoveryProvider] Datanode is not available. Retry #1
2025-12-20T08:47:48.440Z INFO [IndexerDiscoveryProvider] Datanode is not available. Retry #2
2025-12-20T08:47:48.502Z INFO [CaKeystore] Signing certificate for node de1f75af-63de-4bd0-a8ba-83777ea11cca, subject: CN=yzlogserver.mshome.net
2025-12-20T08:47:48.544Z ERROR [CertificateExchangeImpl] Failed to sign CSR for node, skipping it for now.
java.lang.RuntimeException: java.security.cert.CertificateParsingException: java.io.IOException: Parse Generalized time, invalid format
at org.graylog.security.certutil.CaKeystore.signCertificateRequest(CaKeystore.java:76)
at org.graylog2.bootstrap.preflight.GraylogCertificateProvisionerImpl.lambda$runProvisioning$0(GraylogCertificateProvisionerImpl.java:61)
at org.graylog2.cluster.certificates.CertificateExchangeImpl.signPendingCertificateRequests(CertificateExchangeImpl.java:102)
at org.graylog2.bootstrap.preflight.GraylogCertificateProvisionerImpl.runProvisioning(GraylogCertificateProvisionerImpl.java:61)
at org.graylog2.configuration.IndexerDiscoveryCertProvisioning.onDiscoveryRetry(IndexerDiscoveryCertProvisioning.java:39)
at java.base/java.lang.Iterable.forEach(Unknown Source)
at org.graylog2.configuration.IndexerDiscoveryProvider$1.onRetry(IndexerDiscoveryProvider.java:117)
at com.github.rholder.retry.Retryer.call(Retryer.java:167)
at org.graylog2.configuration.IndexerDiscoveryProvider.doGet(IndexerDiscoveryProvider.java:122)
at com.google.common.base.Suppliers$NonSerializableMemoizingSupplier.get(Suppliers.java:201)
at org.graylog2.configuration.IndexerDiscoveryProvider.get(IndexerDiscoveryProvider.java:86)
at org.graylog2.configuration.IndexerDiscoveryProvider.get(IndexerDiscoveryProvider.java:48)
at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:86)
at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.java:72)
at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:60)
at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:59)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:213)
at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:186)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:113)
at com.google.inject.Guice.createInjector(Guice.java:87)
at com.google.inject.Guice.createInjector(Guice.java:69)
at com.google.inject.Guice.createInjector(Guice.java:59)
at org.graylog2.bootstrap.ServerBootstrap.getPreflightInjector(ServerBootstrap.java:289)
at org.graylog2.bootstrap.ServerBootstrap.runPreFlightChecks(ServerBootstrap.java:181)
at org.graylog2.bootstrap.ServerBootstrap.beforeInjectorCreation(ServerBootstrap.java:151)
at org.graylog2.bootstrap.CmdLineTool.doRun(CmdLineTool.java:362)
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:287)
at org.graylog2.bootstrap.Main.main(Main.java:57)
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Parse Generalized time, invalid format
at java.base/sun.security.x509.X509CertInfo.(Unknown Source)
at java.base/sun.security.x509.X509CertImpl.parse(Unknown Source)
at java.base/sun.security.x509.X509CertImpl.(Unknown Source)
at java.base/sun.security.provider.X509Factory.cachedGetX509Cert(Unknown Source)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source)
at java.base/java.security.cert.CertificateFactory.generateCertificate(Unknown Source)
at org.bouncycastle.cert.jcajce.JcaX509CertificateConverter.getCertificate(Unknown Source)
at org.graylog.security.certutil.csr.CsrSigner.sign(CsrSigner.java:133)
at org.graylog.security.certutil.csr.CsrSigner.sign(CsrSigner.java:93)
at org.graylog.security.certutil.CaKeystore.signCertificateRequest(CaKeystore.java:72)
… 30 more
Caused by: java.io.IOException: Parse Generalized time, invalid format
at java.base/sun.security.util.DerValue.getTimeInternal(Unknown Source)
at java.base/sun.security.util.DerValue.getGeneralizedTime(Unknown Source)
at java.base/sun.security.util.DerInputStream.getGeneralizedTime(Unknown Source)
at java.base/sun.security.x509.CertificateValidity.(Unknown Source)
at java.base/sun.security.x509.X509CertInfo.parse(Unknown Source)
… 40 more
2025-12-20T08:47:53.551Z INFO [IndexerDiscoveryProvider] Datanode is not available. Retry #3
2025-12-20T08:47:53.603Z INFO [CaKeystore] Signing certificate for node de1f75af-63de-4bd0-a8ba-83777ea11cca, subject: CN=yzlogserver.mshome.net
2025-12-20T08:47:53.639Z ERROR [CertificateExchangeImpl] Failed to sign CSR for node, skipping it for now.
java.lang.RuntimeException: java.security.cert.CertificateParsingException: java.io.IOException: Parse Generalized time, invalid format
Hey @ezy1220,
Do you get as far as setting the expiration period of the certs and what are you setting that to? On the Ubuntu host, are you syncing the system clock to an ntp server and is that date/time correct?
Hey @ezy1220 , judging from:
I guess you have configured some invalid value in the certificate renewal policy, during the initial preflight setup. Could you maybe check and tell me what you have in the mongodb?
graylog> db.cluster_config.find({‘type’:‘org.graylog2.plugin.certificates.RenewalPolicy’})
should print something similar to
[
{
_id: ObjectId(“6929932e9943fa9223effb9e”),
type: ‘org.graylog2.plugin.certificates.RenewalPolicy’,
payload: { mode: ‘AUTOMATIC’, certificate_lifetime: ‘P30D’ },
last_updated: ISODate(“2025-11-28T12:18:54.348Z”),
last_updated_by: ‘b7ee54e5-6ee4-404f-8e8c-b3d4ec40ac27’
}
]
The easy recovery could be now to drop the mongodb content and start over with the preflight setup from scratch.
The server is deployed in the intranet and cannot connect to the Internet. I set the expiration time to 999,999 days. Or maybe 99,999days,i forgot.
I only set the time zone but did not configure an NTP server.
timedatectl set-timezone Asia/Shanghai
In addition to certificate-related errors, there are also datanode is not available errors in the server.log.
It’s not available due to the signing error.
As this is a new build, dropping the graylog db as a whole should be okay as there is nothing to save and will force the preflight process to begin again.
This time around please set the expiration to something a little less, I would suggest a year. Keep in mind that the signing process is automated so cert reaching EOL shouldn’t fill you with dread but I understand how years of dealing with certs can leave you with trauma.
Thanks @ezy1220
I could reproduce the error, the problem is indeed the validity in the very distant future 
I’d recommend setting some more usual value, like 30 days.
These certificates are self-signed and your graylog server is the certificate authority, which will also handle all automatic renewals. There is no access to the internet needed, only datanode → server connection.
Additionally, the renewed certificate will be hot-reloaded, so it doesn’t take your datanode/opensearch instance down.
Regarding the drop command, you can run something like
graylog> db.dropDatabase()
{ ok: 1, dropped: ‘graylog’ }
if you are OK with deleting everything configured so far.
Thanks u very much!!!
It was indeed an issue with the 99999-day setting. Thank you so much for your help!
Thanks u very much!!!
It was indeed an issue with the 99999-day setting.
I used db.dropDatabase() cmd and restart the service. It works!!!
Thank you so much for your help!!!
Thank you for the feedback @ezy1220 . And for the fun with Y10K problem - I’d never guess I’ll be solving that 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
