Help please with using HTTPS on clustered Graylog

(David Papay) #1

I need help with using HTTPS on clustered Graylog please.
According to manual below I created certificate and keys (cert.pem, pkcs5-plain.pem , pkcs8-encrypted.pem, pkcs8-plain.pempkcs5-plain.pem) in path /etc/graylog/server/certificates/.

On first node I configured required parameters:

rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/certificates/cert.pem
rest_tls_key_file = /etc/graylog/server/certificates/pkcs8-encrypted.pem
rest_tls_key_password = {password_used_for_pkcs8-encrypted.pem}
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/certificates/cert.pem
web_tls_key_file = /etc/graylog/server/certificates/pkcs8-encrypted.pem
web_tls_key_password = {password_used_for_pkcs8-encrypted.pem}

Graylog doesn’t work after restart:

[root@xxxx certificates]# /etc/init.d/graylog-server status
● graylog-server.service - Graylog server
   Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Tue 2017-05-02 14:02:48 CEST; 3s ago
  Process: 7255 ExecStart=/usr/share/graylog-server/bin/graylog-server (code=exited, status=1/FAILURE)
 Main PID: 7255 (code=exited, status=1/FAILURE)
[root@xxxx certificates]# sudo tailf /var/log/graylog-server/server.log | grep -i exception
com.github.joschi.jadconfig.ValidationException: Unreadable or missing REST API private key: /etc/graylog/server/certificates/pkcs8-encrypted.pem

Can you help me with this issue please?

Unable to get https on graylog to work
(Jochen) #2

Are all files readable for the system user running the Graylog process? All directories leading to the file must be readable for that user, too.

You can check this with namei -l /etc/graylog/server/certificates/pkcs8-encrypted.pem etc.

What’s the content of the exception you’ve posted? (Lines before and after the actual exception)

(David Papay) #3

thank you a lot, there was really problem with access rights which I resolved and both Graylog nodes running well now.