Https Setup Error

Mentros · February 7, 2020, 2:48pm

Hello,

I hope someone can help me with this.

I have Graylog 3.1; mongodb 4; elasticsearch 6

I run graylog with docker-compose.
Graylog was running with Http.
I tried adding Https and followed the Guide for graylog 3.1

When I try to start docker-compose up I get this Error:

graylog_1        | 2020-02-07 14:27:33,809 ERROR: org.graylog2.bootstrap.CmdLineTool - Invalid configuration
graylog_1        | com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/docker/certs/graylog-key.pem
graylog_1        |      at org.graylog2.configuration.HttpConfiguration.validateTlsConfig(HttpConfiguration.java:252) ~[graylog.jar:?]
graylog_1        |      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_232]
graylog_1        |      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_232]
graylog_1        |      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_232]
graylog_1        |      at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_232]

My Docker-Compose.yml looks like this:

 graylog:
    image: graylog/graylog:3.1
    environment:
      - "GRAYLOG_SERVER_JAVA_OPTS=-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/docker/certs/cacerts.jks"
      - GRAYLOG_HTTP_ENABLE_TLS=true
      - GRAYLOG_HTTP_TLS_CERT_FILE=/etc/docker/certs/graylog-cert.pem
      - GRAYLOG_HTTP_TLS_KEY_FILE=/etc/docker/certs/graylog-key.pem
      - GRAYLOG_HTTP_TLS_KEY_PASSWORD=...
      - GRAYLOG_HTTP_PUBLISH_URI=https://{IPAddress}:9000/
      - GRAYLOG_PASSWORD_SECRET=...
      - GRAYLOG_ROOT_PASSWORD_SHA2=...
      - GRAYLOG_HTTP_EXTERNAL_URI=https://{IPAddress}:9000/

the permissions for the files looks like this:

 drwxr-xr-x graylog docker certs
-rw-r--r-- root    root   graylog-cert.pem

drwxr-xr-x root root certs
-rwxrwxrwx root root graylog-key.pem

I tried both with root:root and with graylog:docker.

I redid the certificate and the key (the key is pkcs8):
Key:

-----BEGIN ENCRYPTED PRIVATE KEY-----
GXG0jqxa9k1xx0evlU0nDUg
-----END ENCRYPTED PRIVATE KEY-----

Cert:

-----BEGIN CERTIFICATE-----
…Zmb+y76acEqf2yqbXo=
-----END CERTIFICATE-----

I added graylog-cert.pem to the copied cacert.jks

I feel like I am just missing something very obvious but after spending quite some time searching I hope someone can help me with my problem.

If something else is needed I will gladly provide that.

jan · February 9, 2020, 12:41pm

he @Mentros

is your GRAYLOG_HTTP_TLS_* key/cert on that path you have configured available INSIDE the container?

It does not look - or you have not included that part of the docker-compose - that you have mounted the certs to the docker-image.

Please see https://docs.graylog.org/en/3.2/pages/installation/docker.html#persisting-data

Mentros · February 10, 2020, 9:40am

Hello @jan,

Thanks for the fast help.
After mounting the key/cert files in the docker-compose.yml it seems that this problem is gone.

graylog:
image: graylog/graylog:3.1
volumes:
- ./certs/graylog-key.pem:/etc/docker/certs/graylog-key.pem
- ./certs/graylog-cert.pem:/etc/docker/certs/graylog-cert.pem
environment:
- GRAYLOG_HTTP_TLS_CERT_FILE=/etc/docker/certs/graylog-cert.pem
- GRAYLOG_HTTP_TLS_KEY_FILE=/etc/docker/certs/graylog-key.pem

Sadly I got right into another one.
graylog_1 | Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
graylog_1 | at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_232]

The solutions I found so far seem not to work for me.

I followed the steps for creating a sefl-signed-certificate and It “should” be the right format (the only thing that seems different is that I don’t have any bag attributes and when I list the added certificate it shows me the sha-256 and not sha1
I run everything on one machine so the only IP-Address in my certificate is the local machine IP-Address that I also use for all http-* lines in the docker-compose.yml

Hope I am not too much of a burden and that you could help me with this problem aswell.

jan · February 10, 2020, 2:28pm

he @Mentros

I do not know what the ObjectIdentifier issue is coming from. But maybe it is related to this:

https://knowledge.digicert.com/solution/SO874.html

Mentros · February 11, 2020, 10:03am

Worked it out now (somewhat).

I also had to mount the cacert.jks and I use the unencrypted key now.
Couldn’t get it to work with the encrypted key but https works fine.

Thx for the help @jan.

system · February 25, 2020, 10:04am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unreadable or missing http private key docker container graylog Graylog Central (peer support)	1	573	October 1, 2020
Input failed to start after https Graylog Central (peer support)	13	1358	March 26, 2020
Graylog in HTTPS mode with Docker-Compose Graylog Central (peer support)	3	3009	February 27, 2020
Odd thing happen after enable https Graylog Central (peer support)	9	1506	November 6, 2019
Run Graylog with Docker over HTTPS on AWS Graylog Central (peer support)	1	1073	December 3, 2019

Https Setup Error

Related topics