Https troubleshooting

Hello,

sorry if the subject has already been raised… i’m a little lost… i need some help…

I have a question regarding encryption, here is the context.

My graylog installation on single node:

  • CentOS 8
  • mongod v4.0.18
  • elastic v6.8.9
  • Graylog 3.2

actually, graylog GUI works in HTTP, i want to migrate in HTTPS.

When i look the documentation https://docs.graylog.org/en/3.2/pages/configuration/https.html, i don’t understand if nginx or apache is obligatory to encrypt graylog GUI.

And if nginx or apache must installed, who have the certificate? nginx or graylog? or both?

Thanks in advance

Regards

Franz

Nginx/Apache is only required to act as a reverse proxy.
You can run Graylog over HTTPS on tcp/9000 without them.

Thanks Ponet,

I tried to migrate but that’s no work…

i follow document here you can find what i’ve done on graylog server

add this line in /etc/profile

export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/
export PATH=$JAVA_HOME/bin:$PATH

cp java

cp -a “${JAVA_HOME}/jre/lib/security/cacerts” /certs/cacerts.jks

generate certificate and import in keystore

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:XXXXX
keytool -importcert -keystore /certs/cacerts.jks -storepass XXXXX -alias graylog-https -file cert.pem

modify /etc/sysconfig/graylog

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/certs/cacerts.jks -Djavax.net.ssl.trustStorePassword=XXXXX"

modify the rights of /certs

chown graylog:graylog /certs/*

change server.conf

http_publish_uri = https://10.10.10.11:9000/
http_enable_tls = true
http_tls_cert_file = /certs/cert.pem
http_tls_key_file = /certs/pkcs8-encrypted.pem
http_tls_key_password = XXXXX

restart mongod elactic and graylog and that’s no work

When i look mongod.log it’s seem good

2020-05-19T17:15:56.093+0200 I ACCESS [conn5] Successfully authenticated as principal mongo_graylog on graylog from client 127.0.0.1:39204
2020-05-19T17:15:56.097+0200 I ACCESS [conn8] Successfully authenticated as principal mongo_graylog on graylog from client 127.0.0.1:39210
2020-05-19T17:15:56.100+0200 I ACCESS [conn6] Successfully authenticated as principal mongo_graylog on graylog from client 127.0.0.1:39206
2020-05-19T17:15:56.107+0200 I ACCESS [conn4] Successfully authenticated as principal mongo_graylog on graylog from client 127.0.0.1:39202
2020-05-19T17:15:56.116+0200 I ACCESS [conn7] Successfully authenticated as principal mongo_graylog on graylog from client 127.0.0.1:39208
2020-05-19T17:15:56.128+0200 I ACCESS [conn9] Successfully authenticated as principal mongo_graylog on graylog from client 127.0.0.1:39212
2020-05-19T17:15:56.188+0200 I SHARDING [conn4] Marking collection graylog.ldap_settings as collection version:
2020-05-19T17:15:56.296+0200 I SHARDING [conn2] Marking collection graylog.collector_uploads as collection version:

elastic logs that the same it seem good

[2020-05-19T17:15:51,660][INFO ][o.e.d.DiscoveryModule ] [L9YFaga] using discovery type [zen] and host providers [settings]
[2020-05-19T17:15:52,444][INFO ][o.e.n.Node ] [L9YFaga] initialized
[2020-05-19T17:15:52,444][INFO ][o.e.n.Node ] [L9YFaga] starting …
[2020-05-19T17:15:52,798][INFO ][o.e.t.TransportService ] [L9YFaga] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300}
[2020-05-19T17:15:52,834][WARN ][o.e.b.BootstrapChecks ] [L9YFaga] system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2020-05-19T17:15:55,970][INFO ][o.e.c.s.MasterService ] [L9YFaga] zen-disco-elected-as-master ([0] nodes joined), reason: new_master {L9YFaga}{L9YFagaARtSsIkr_czIRSA}{y3PEbgAeQTeNBlxdtosd-g}{127.0.0.1}{127.0.0.1:9300}
[2020-05-19T17:15:55,978][INFO ][o.e.c.s.ClusterApplierService] [L9YFaga] new_master {L9YFaga}{L9YFagaARtSsIkr_czIRSA}{y3PEbgAeQTeNBlxdtosd-g}{127.0.0.1}{127.0.0.1:9300}, reason: apply cluster state (from master [master {L9YFaga}{L9YFagaARtSsIkr_czIRSA}{y3PEbgAeQTeNBlxdtosd-g}{127.0.0.1}{127.0.0.1:9300} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)]])
[2020-05-19T17:15:56,151][INFO ][o.e.h.n.Netty4HttpServerTransport] [L9YFaga] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200}
[2020-05-19T17:15:56,151][INFO ][o.e.n.Node ] [L9YFaga] started
[2020-05-19T17:15:56,800][INFO ][o.e.g.GatewayService ] [L9YFaga] recovered [3] indices into cluster_state
[2020-05-19T17:15:58,234][INFO ][o.e.c.r.a.AllocationService] [L9YFaga] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[graylog_0][1]] …]).

But in graylog.log…

2020-05-19T17:42:01.569+02:00 INFO [GracefulShutdownService] Initiate shutdown for
2020-05-19T17:42:01.569+02:00 INFO [GracefulShutdownService] Finished shutdown for , took 0 ms
2020-05-19T17:42:01.572+02:00 INFO [LogManager] Shutting down.
2020-05-19T17:42:01.576+02:00 INFO [JournalReader] Stopping.
2020-05-19T17:42:01.577+02:00 INFO [LookupDataAdapterRefreshService] Stopping 0 jobs
2020-05-19T17:42:01.609+02:00 INFO [Buffers] Waiting until all buffers are empty.
2020-05-19T17:42:01.610+02:00 INFO [Buffers] All buffers are empty. Continuing.
2020-05-19T17:42:01.616+02:00 INFO [OutputSetupService] Stopping output org.graylog2.outputs.BlockingBatchedESOutput
2020-05-19T17:42:01.629+02:00 INFO [LogManager] Shutdown complete.
2020-05-19T17:42:31.566+02:00 ERROR [ServerBootstrap] Unable to shutdown properly on time. {STOPPING=[JobSchedulerService [STOPPING]], TERMINATED=[InputSetupService [TERMINATED], MongoDBProcessingStatusRecorderService [TERMINATED], PeriodicalsService [TERMINATED], UrlWhitelistService [TERMINATED], StreamCacheService [TERMINATED], OutputSetupService [TERMINATED], EtagService [TERMINATED], GracefulShutdownService [TERMINATED], LookupTableService [TERMINATED], ConfigurationEtagService [TERMINATED], JournalReader [TERMINATED], BufferSynchronizerService [TERMINATED], KafkaJournal [TERMINATED]], FAILED=[JerseyService [FAILED]]}
2020-05-19T17:42:31.567+02:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:161) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_252]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_252]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_252]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_252]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:137) ~[?:1.8.0_252]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:119) ~[?:1.8.0_252]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:393) ~[?:1.8.0_252]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_252]
at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:347) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:172) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:146) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_252]
2020-05-19T17:42:31.576+02:00 INFO [Server] SIGNAL received. Shutting down.
2020-05-19T17:42:31.592+02:00 INFO [GracefulShutdown] Graceful shutdown initiated.
2020-05-19T17:42:31.593+02:00 INFO [GracefulShutdown] Node status: [Halting [LB:DEAD]]. Waiting <3sec> for possible load balancers to recognize state change.
2020-05-19T17:42:35.596+02:00 INFO [GracefulShutdown] Goodbye.

For the first time, I thought I had a password error, but that’s not it … do you have an idea?

Thanks in advance

I found this https://github.com/Graylog2/graylog2-server/issues/7552

i generated pkcs8 without password and graylog works!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.