Https Setup Error

Hello,

I hope someone can help me with this.

I have Graylog 3.1; mongodb 4; elasticsearch 6

I run graylog with docker-compose.
Graylog was running with Http.
I tried adding Https and followed the Guide for graylog 3.1

When I try to start docker-compose up I get this Error:

graylog_1        | 2020-02-07 14:27:33,809 ERROR: org.graylog2.bootstrap.CmdLineTool - Invalid configuration
graylog_1        | com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/docker/certs/graylog-key.pem
graylog_1        |      at org.graylog2.configuration.HttpConfiguration.validateTlsConfig(HttpConfiguration.java:252) ~[graylog.jar:?]
graylog_1        |      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_232]
graylog_1        |      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_232]
graylog_1        |      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_232]
graylog_1        |      at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_232]

My Docker-Compose.yml looks like this:

 graylog:
    image: graylog/graylog:3.1
    environment:
      - "GRAYLOG_SERVER_JAVA_OPTS=-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/docker/certs/cacerts.jks"
      - GRAYLOG_HTTP_ENABLE_TLS=true
      - GRAYLOG_HTTP_TLS_CERT_FILE=/etc/docker/certs/graylog-cert.pem
      - GRAYLOG_HTTP_TLS_KEY_FILE=/etc/docker/certs/graylog-key.pem
      - GRAYLOG_HTTP_TLS_KEY_PASSWORD=...
      - GRAYLOG_HTTP_PUBLISH_URI=https://{IPAddress}:9000/
      - GRAYLOG_PASSWORD_SECRET=...
      - GRAYLOG_ROOT_PASSWORD_SHA2=...
      - GRAYLOG_HTTP_EXTERNAL_URI=https://{IPAddress}:9000/

the permissions for the files looks like this:

 drwxr-xr-x graylog docker certs
-rw-r--r-- root    root   graylog-cert.pem
drwxr-xr-x root root certs
-rwxrwxrwx root root graylog-key.pem

I tried both with root:root and with graylog:docker.

I redid the certificate and the key (the key is pkcs8):
Key:

-----BEGIN ENCRYPTED PRIVATE KEY-----
GXG0jqxa9k1xx0evlU0nDUg
-----END ENCRYPTED PRIVATE KEY-----

Cert:

-----BEGIN CERTIFICATE-----
…Zmb+y76acEqf2yqbXo=
-----END CERTIFICATE-----

I added graylog-cert.pem to the copied cacert.jks

I feel like I am just missing something very obvious but after spending quite some time searching I hope someone can help me with my problem.

If something else is needed I will gladly provide that.

he @Mentros

is your GRAYLOG_HTTP_TLS_* key/cert on that path you have configured available INSIDE the container?

It does not look - or you have not included that part of the docker-compose - that you have mounted the certs to the docker-image.

Please see https://docs.graylog.org/en/3.2/pages/installation/docker.html#persisting-data

Hello @jan,

Thanks for the fast help.
After mounting the key/cert files in the docker-compose.yml it seems that this problem is gone.

graylog:
image: graylog/graylog:3.1
volumes:
- ./certs/graylog-key.pem:/etc/docker/certs/graylog-key.pem
- ./certs/graylog-cert.pem:/etc/docker/certs/graylog-cert.pem
environment:
- GRAYLOG_HTTP_TLS_CERT_FILE=/etc/docker/certs/graylog-cert.pem
- GRAYLOG_HTTP_TLS_KEY_FILE=/etc/docker/certs/graylog-key.pem

Sadly I got right into another one.
graylog_1 | Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
graylog_1 | at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_232]

The solutions I found so far seem not to work for me.

  • I followed the steps for creating a sefl-signed-certificate and It “should” be the right format (the only thing that seems different is that I don’t have any bag attributes and when I list the added certificate it shows me the sha-256 and not sha1

  • I run everything on one machine so the only IP-Address in my certificate is the local machine IP-Address that I also use for all http-* lines in the docker-compose.yml

Hope I am not too much of a burden and that you could help me with this problem aswell.

he @Mentros

I do not know what the ObjectIdentifier issue is coming from. But maybe it is related to this:

https://knowledge.digicert.com/solution/SO874.html

Worked it out now (somewhat).

I also had to mount the cacert.jks and I use the unencrypted key now.
Couldn’t get it to work with the encrypted key but https works fine.

Thx for the help @jan.