Help please with using HTTPS on clustered Graylog

Hello,
I need help with using HTTPS on clustered Graylog please.
According to manual below I created certificate and keys (cert.pem, pkcs5-plain.pem , pkcs8-encrypted.pem, pkcs8-plain.pempkcs5-plain.pem) in path /etc/graylog/server/certificates/.
http://docs.graylog.org/en/2.2/pages/configuration/https.html?highlight=https

On first node I configured required parameters:

rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/certificates/cert.pem
rest_tls_key_file = /etc/graylog/server/certificates/pkcs8-encrypted.pem
rest_tls_key_password = {password_used_for_pkcs8-encrypted.pem}
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/certificates/cert.pem
web_tls_key_file = /etc/graylog/server/certificates/pkcs8-encrypted.pem
web_tls_key_password = {password_used_for_pkcs8-encrypted.pem}

Graylog doesn’t work after restart:

[root@xxxx certificates]# /etc/init.d/graylog-server status
● graylog-server.service - Graylog server
   Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Tue 2017-05-02 14:02:48 CEST; 3s ago
     Docs: http://docs.graylog.org/
  Process: 7255 ExecStart=/usr/share/graylog-server/bin/graylog-server (code=exited, status=1/FAILURE)
 Main PID: 7255 (code=exited, status=1/FAILURE)
[root@xxxx certificates]# sudo tailf /var/log/graylog-server/server.log | grep -i exception
com.github.joschi.jadconfig.ValidationException: Unreadable or missing REST API private key: /etc/graylog/server/certificates/pkcs8-encrypted.pem

Can you help me with this issue please?

1 Like

Are all files readable for the system user running the Graylog process? All directories leading to the file must be readable for that user, too.

You can check this with namei -l /etc/graylog/server/certificates/pkcs8-encrypted.pem etc.

What’s the content of the exception you’ve posted? (Lines before and after the actual exception)

1 Like

Hello,
thank you a lot, there was really problem with access rights which I resolved and both Graylog nodes running well now.

1 Like

please @jochen i have the same problem

  1. Do not re-use old threads for different version in your behalf
  2. read your logs yourself - the reason is written cleary in your screenshot
  3. random shouting to people will not help you!
  4. we - the community are not your sparing partner that helps you to do your work.
  5. use your brain.