How to Configure graylog 3.0 in HTTPS

ali1050 · January 2, 2019, 7:10am

Hello Guys,

I have stand up graylog server 3.0 manually in centOS in my local environment, but l have a problem to configure HTTPS, i have tried to configure in https but not working for me, i have seen many step on internet but all are graylog version 2.X in 3.0 many step are not there in configuration file. please help me out of this if some one have any notes please provide me.

This error i am getting when i configure in HTTPS:

java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:148) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.security.KeyException: No private key found in file: /home/ssgconfig/graylog.allied.p12
at org.graylog2.shared.security.tls.PemReader.readPrivateKey(PemReader.java:88) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:97) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:342) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:168) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:142) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_191]
2018-12-31T13:02:03.378+05:30 INFO [Server] SIGNAL received. Shutting down.
2018-12-31T13:02:03.384+05:30 INFO [GracefulShutdown] Graceful shutdown initiated.
2018-12-31T13:02:03.384+05:30 INFO [GracefulShutdown] Node status: [Halting [LB:DEAD]]. Waiting <3sec> for possible load balancers to recognize state change.
2018-12-31T13:02:07.390+05:30 INFO [GracefulShutdown] Goodbye.
2018-12-31T13:02:21.278+05:30 INFO [CmdLineTool] Loaded plugin: AWS plugins 3.0.0-alpha.5 [org.graylog.aws.AWSPlugin]
2018-12-31T13:02:21.282+05:30 INFO [CmdLineTool] Loaded plugin: Collector 3.0.0-alpha.5 [org.graylog.plugins.collector.CollectorPlugin]
2018-12-31T13:02:21.283+05:30 INFO [CmdLineTool] Loaded plugin: Threat Intelligence Plugin 3.0.0-alpha.5 [org.graylog.plugins.threatintel.ThreatIntelPlugin]
2018-12-31T13:02:21.966+05:30 INFO [CmdLineTool] Running with JVM arguments: -Xms1g -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm
2018-12-31T13:02:22.361+05:30 INFO [Version] HV000001: Hibernate Validator 5.1.3.Final
2018-12-31T13:02:27.180+05:30 INFO [InputBufferImpl] Message journal is enabled.
2018-12-31T13:02:27.227+05:30 INFO [NodeId] Node ID: d98c7a23-e294-4559-bb43-39116d55bb31
2018-12-31T13:02:27.656+05:30 INFO [LogManager] Loading logs.
2018-12-31T13:02:27.794+05:30 INFO [LogManager] Logs loading complete.
2018-12-31T13:02:27.794+05:30 INFO [KafkaJournal] Initialized Kafka based journal at /var/lib/graylog-server/journal
2018-12-31T13:02:27.849+05:30 INFO [InputBufferImpl] Initialized InputBufferImpl with ring size <65536> and wait strategy , running 2 parallel message handlers.
2018-12-31T13:02:27.903+05:30 INFO [cluster] Cluster created with settings {hosts=[localhost:27017], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout=‘30000 ms’, maxWaitQueueSize=5000}
2018-12-31T13:02:27.992+05:30 INFO [cluster] Cluster description not yet available. Waiting for 30000 ms before timing out
2018-12-31T13:02:28.059+05:30 INFO [connection] Opened connection [connectionId{localValue:1, serverValue:145}] to localhost:27017

macko003 · January 2, 2019, 8:48pm

Have you checked this part of your log?
Maybe wrong key format, wrong file permission…
But noone will knows it if you don’t share your graylog config

Totally_Not_A_Robot · January 3, 2019, 6:54am

To my knowledge, the input file should not be a PKCS12 container, but PKCS8 with nothing at all except the private key in PEM format.

ali1050 · January 3, 2019, 7:49am

ok i will try

thanks

Totally_Not_A_Robot · January 3, 2019, 7:59am

Feel free to refer to a post I made earlier about the process I follow to setup the certs and keys.

ali1050 · January 3, 2019, 9:01am

As per you mention both certificate should be in .pem format. it works but where should i go to configure https in server.conf file, as i mention i am using graylog version 3.0 there is many option is not there to configure https.

please help me out.

Regard
Shaikh Arfin

Totally_Not_A_Robot · January 3, 2019, 9:21am

It appears that the settings have changed a little bit. You can compare the 2.5 docs versus the 3.0.

https://docs.graylog.org/en/2.5/pages/configuration/https.html

https://docs.graylog.org/en/3.0/pages/configuration/https.html

The first thing I noticed was:

Enable TLS for the Graylog REST API ( rest_enable_tls )

Enable TLS for the web interface endpoint ( web_enable_tls )

versus:

To make this work, you need to enable the http_enable_tls setting in your Graylog server configuration.

ali1050 · January 3, 2019, 12:37pm

hello,

i have tried what you have mention above, It’s work my self signed certificated is accepted but when i hit url webinterface is not coming up. it pick my certificated

Totally_Not_A_Robot · January 3, 2019, 12:42pm

It’s explicitly telling you what is wrong:

The hostname does not match any of the names on the certificate.
The issuing CA is not a trusted CA, which makes sense because it’s a self-signed cert.

You should be asking your security / PKI team for an official certificate from your company’s CA, instead of baking your own self-signed cert.

system · January 17, 2019, 12:42pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cant get https up and running Graylog Central (peer support)	24	5103	March 7, 2019
Graylog crashes on startup if HTTPS is enabled Graylog Central (peer support)	20	1145	May 8, 2020
Trying to enable SSL Graylog Central (peer support)	7	663	March 4, 2020
Graylog startup failed Graylog Central (peer support)	4	3320	January 12, 2018
Graylog HTTPS issues Graylog Central (peer support)	11	2176	February 7, 2018

How to Configure graylog 3.0 in HTTPS

Related Topics