Https on Graylog 3.0.0-12 OVA

Good morning,
I need help setting up https access to the web interface of my Graylog 3.0 installation
I performed the installation starting from the OVA image in version 3.0.0-12
Following the procedure indicated on the web page http://docs.graylog.org/en/3.0/pages/configuration/https.html I could not complete the configuration
Someone who could do it could make a video tutorial with an installation and configuration starting from scratch?
That is, only the part of creating certificates and editing the server.conf configuration file?
In previous versions the commands were enough:
sudo graylog-ctl enforce-ssl and sudo graylog-ctl, the configuration took place all through already integrated scripts
Thanks for your time

sudo graylog-ctl enforce-ssl and sudo graylog-ctl, the configuration took place all through already integrated scripts

graylog-ctl is no longer given - the OVA image is a plain ubuntu based OS package installation. I agree that we might document the process better, because the selected page above holds all possible commands you might need.

1 Like

Ooofff, that’s a whole separate field of expertise if you want to tackle it properly. It’s kind of my job at the mo’. @jan already asked me to start putting together a Wiki page, which I’ll hopefully do RSN™.

Ok, i stay tuned, sure to receive the necessary help that i need
To be able to implement https on the new version it’s the only way for me to migrate from 2.4.6 OVA version to 3.0.0-12 OVA version
Tnx in advance

just to have the reference given. Creating a CA and cerificates is easier when using my shadowCA

you would only need to add the certificates to the places you want to use them.

On the other hand I can imagine that would run afoul the official Certificate Policy and Certificate Practice Statement of any organization that takes PKI seriously.

If your org is like that (PKI + certs = important), then you’ll need to work with your PKI administrators to get the required certificates. I’ve just submitted a pull request on Github for an addition to the security chapter of the docs, which explains the required certificates for a full Graylog cluster.

…but starting from a clean installation from an OVA image, is it possible to have a script to configure everything automatically as happened with previous versions?

No, not unless you write one yourself. And at best you would get a certificate that’s either self-signed, or from an untrusted CA that the script makes on the localhost. It would not be a proper, trusted certificate (which I doubt the original setup script made either).

and to have the same certificate used in the past on the OVA appliance, signed directly from graylog ? The same founded on /opt/graylog/conf/nginx/ca/ folder ?

Yeah, that’s the “locally installed, untrusted CA” option I meant.

You can copy those files over from the previous OVA, sure thing. As long as the hostname hasn’t changed. You will then need to manually edit the Graylog server configuration, in order to point it towards the right files. You’ll also need the original key’s password from the previous OVA.

I do not know if the certificate and its password were generated during the installation / import from the OVA image or if they were already present in the image since its creation.I did not enter any key’s password related to the certificate in the past installations
boh
the import and subsequent activation of the https protocol through graylog-ctl enforce-ssl generates the certificate and uses as key’s password that of the root user?
Otherwise i need the key’s password

Who know the default key’s password of a OVA Graylog appliance installation ?

Ok
using the graylog.crt and graylog.key taken from the old installation everything works (without using any password), only curiosity … now I am forced to specify that it uses port 9000 in the web address (https: // <ip_address>: 9000).It’s not important, but would it be possible not to have to specify it as it was previously?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.