How to Configure graylog 3.0 in HTTPS


(arfin) #1

Hello Guys,

I have stand up graylog server 3.0 manually in centOS in my local environment, but l have a problem to configure HTTPS, i have tried to configure in https but not working for me, i have seen many step on internet but all are graylog version 2.X in 3.0 many step are not there in configuration file. please help me out of this if some one have any notes please provide me.

This error i am getting when i configure in HTTPS:

java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:148) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.security.KeyException: No private key found in file: /home/ssgconfig/graylog.allied.p12
at org.graylog2.shared.security.tls.PemReader.readPrivateKey(PemReader.java:88) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:97) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:342) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:168) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:142) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_191]
2018-12-31T13:02:03.378+05:30 INFO [Server] SIGNAL received. Shutting down.
2018-12-31T13:02:03.384+05:30 INFO [GracefulShutdown] Graceful shutdown initiated.
2018-12-31T13:02:03.384+05:30 INFO [GracefulShutdown] Node status: [Halting [LB:DEAD]]. Waiting <3sec> for possible load balancers to recognize state change.
2018-12-31T13:02:07.390+05:30 INFO [GracefulShutdown] Goodbye.
2018-12-31T13:02:21.278+05:30 INFO [CmdLineTool] Loaded plugin: AWS plugins 3.0.0-alpha.5 [org.graylog.aws.AWSPlugin]
2018-12-31T13:02:21.282+05:30 INFO [CmdLineTool] Loaded plugin: Collector 3.0.0-alpha.5 [org.graylog.plugins.collector.CollectorPlugin]
2018-12-31T13:02:21.283+05:30 INFO [CmdLineTool] Loaded plugin: Threat Intelligence Plugin 3.0.0-alpha.5 [org.graylog.plugins.threatintel.ThreatIntelPlugin]
2018-12-31T13:02:21.966+05:30 INFO [CmdLineTool] Running with JVM arguments: -Xms1g -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm
2018-12-31T13:02:22.361+05:30 INFO [Version] HV000001: Hibernate Validator 5.1.3.Final
2018-12-31T13:02:27.180+05:30 INFO [InputBufferImpl] Message journal is enabled.
2018-12-31T13:02:27.227+05:30 INFO [NodeId] Node ID: d98c7a23-e294-4559-bb43-39116d55bb31
2018-12-31T13:02:27.656+05:30 INFO [LogManager] Loading logs.
2018-12-31T13:02:27.794+05:30 INFO [LogManager] Logs loading complete.
2018-12-31T13:02:27.794+05:30 INFO [KafkaJournal] Initialized Kafka based journal at /var/lib/graylog-server/journal
2018-12-31T13:02:27.849+05:30 INFO [InputBufferImpl] Initialized InputBufferImpl with ring size <65536> and wait strategy , running 2 parallel message handlers.
2018-12-31T13:02:27.903+05:30 INFO [cluster] Cluster created with settings {hosts=[localhost:27017], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout=‘30000 ms’, maxWaitQueueSize=5000}
2018-12-31T13:02:27.992+05:30 INFO [cluster] Cluster description not yet available. Waiting for 30000 ms before timing out
2018-12-31T13:02:28.059+05:30 INFO [connection] Opened connection [connectionId{localValue:1, serverValue:145}] to localhost:27017


#2

Have you checked this part of your log?
Maybe wrong key format, wrong file permission…
But noone will knows it if you don’t share your graylog config


(Tess) #3

To my knowledge, the input file should not be a PKCS12 container, but PKCS8 with nothing at all except the private key in PEM format.


(arfin) #4

ok i will try

thanks


(Tess) #5

Feel free to refer to a post I made earlier about the process I follow to setup the certs and keys.


(arfin) #6

As per you mention both certificate should be in .pem format. it works but where should i go to configure https in server.conf file, as i mention i am using graylog version 3.0 there is many option is not there to configure https.

please help me out.

Regard
Shaikh Arfin


(Tess) #7

It appears that the settings have changed a little bit. You can compare the 2.5 docs versus the 3.0.

https://docs.graylog.org/en/2.5/pages/configuration/https.html

https://docs.graylog.org/en/3.0/pages/configuration/https.html

The first thing I noticed was:

  • Enable TLS for the Graylog REST API ( rest_enable_tls )
  • Enable TLS for the web interface endpoint ( web_enable_tls )

versus:

To make this work, you need to enable the http_enable_tls setting in your Graylog server configuration.


(arfin) #8

hello,

i have tried what you have mention above, It’s work my self signed certificated is accepted but when i hit url webinterface is not coming up. it pick my certificated


(Tess) #9

It’s explicitly telling you what is wrong:

  1. The hostname does not match any of the names on the certificate.
  2. The issuing CA is not a trusted CA, which makes sense because it’s a self-signed cert.

You should be asking your security / PKI team for an official certificate from your company’s CA, instead of baking your own self-signed cert.


(system) #10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.