How to setup SSL in Graylog with valid cert and key files

(Ganeshbabu Ramamoorthy) #1

Hi All,

We are able to setup SSL/TLS configuration in Graylog by creating self signed private key & certificate and It was working fine without any issues, but now I am trying to do the same setup with having proper certificates in place, which are valid and trusted by the clients.

As I followed this documentation for setting up the self signed certificates but unable to do with valid certificate and key file

Please kindly let us know how to setup the valid certificate and key for HTTPS in graylog and kindly share any documentation for reference and it would be very helpful to resolve it.

Ganeshbabu R

(Ganeshbabu Ramamoorthy) #2

Hi All,

As per the documentation the graylog will only work only if the certificate/key files are in the right format, which is X.509 for certificates and PKCS#8 for the private keys. Both must to be stored in PEM format.

Since my valid certificate & key files are in the name of,


and I tried to change the format to PEM by using the below commands,

openssl x509 -in graylog.crt -outform PEM -out graylog-certificate.pem
openssl pkcs8 -topk8 -inform PEM -outform PEM -in graylog.key -out graylogkey.pem -nocrypt

But however I am getting the below exception in logs files,

2017-12-01T18:27:31.490Z INFO  [LegacyDefaultStreamMigration] Legacy default stream has no connections, no migration needed.
2017-12-01T18:27:31.747Z ERROR [ServiceManager] Service JerseyService [FAILED] has failed in the STARTING state. overrun, bytes = 1194
        at javax.crypto.EncryptedPrivateKeyInfo.<init>( ~[?:1.8.0_122]
        at ~[graylog.jar:?]
        at ~[graylog.jar:?]
        at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator( ~[graylog.jar:?]
        at org.graylog2.shared.initializers.JerseyService.startUpApi( ~[graylog.jar:?]
        at org.graylog2.shared.initializers.JerseyService.startUp( ~[graylog.jar:?]
        at$DelegateService$ [graylog.jar:?]
        at$ [graylog.jar:?]
        at [?:1.8.0_151]
2017-12-01T18:27:31.754Z INFO  [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Failed [LB:DEAD]
2017-12-01T18:27:31.755Z ERROR [InputSetupService] Not starting any inputs because lifecycle is: Failed [LB:DEAD]

Please kindly correct me if I am doing anything wrong in the setup.

Ganeshbabu R

(Jan Doberstein) #3

you might want to use the following script to generate the keys:

it will also guide you in the commands - when you are unsure what to use.

In addition the error you post is not connected to any ssl certificate error.

We would need to know how you configured your Graylog (what is your server.conf) and what is the error you have (your server.log).


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.