HTTPS with single node and self signed cert


I’m trying to get HTTPS setup on a dev machine. I’m using a Vagrantfile from the docs to spin up a VM for testing. I have created a cert and pkcs8 encrypted private key from the commands in the docs.

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
Then convert the pkcs5 key into a pkcs8 encrypted key using openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem followed by:

openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

So now I have a proper key and self signed cert.

In the VM, I don’t have a /etc/graylog/server/server.conf file but I do have a /opt/graylog/conf/graylog.conf file and a /opt/graylog/server/graylog.conf.example file. Does graylog use the file in /opt/graylog/conf/graylog.conf by default or do I need to copy the file in /opt/graylog/server/graylog.conf.example to /etc/graylog/server/server.conf?

After modifying the appropriate configuration file, do I sudo graylog-ctl reconfigure then sudo graylog-ctl restart?
Do I also have to move the self signed keys to /opt/graylog/conf/nginx/ca with the appropriate names: graylog.crt and graylog.key?
Why does the documentation use *.pem files and the configuration files use *.crt and *.key files

(Jan Doberstein) #2

as it looks like you use the Graylog OVA. You can and should only use the customization that is possible with the graylog-ctl script.

What you can do is clear documented:


So I should only use the sudo graylog-ctl script to set everything up?

Does the graylog-ctl script modify the config file in /opt/graylog/config/*.conf?

(Jochen) #4

Yes, correct.

Yes, these files are re-generated from templates every time you run graylog-ctl reconfigure (or a command which triggers the “reconfigure” target).


If I’m only supposed to use graylog-ctl script to implement HTTPS, how do I load the private key and ssl_cert? Or is their a config file I need to modify manually? NOTE: I don’t have a /etc/graylog/server/server.conf file

(Jan Doberstein) #6

you should read the documentation:

if the possible customizations in the OVA does not match your needs, you should install Graylog yourself. Keep in mind the OVA is build as a showcase, not to be run as a production build.


So, to understand the setup correctly. The images, OVA, AMI, docker are setup as a showcase of graylog. They aren’t designed to be deployed in production environments and come setup with custom paths for elasticsearch, nginx, etcd, etc and scripts?

After we decide to use graylog, we abandon the AMI, OVA, docker and install/configure all the components manually for a production system?

I was trying to “test” https on my local machine using, in this case, the vagrantfile then deploy my settings onto the graylog AMI we have running in production.

(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.