I'm about to lose my mind with TLS ingestion

I am attempting to ingest logs TLS using a third party Wildcard certificate that we have. I do not need mutual authentication.

I do not care about web interface management on TLS, just the 6514 Syslog TLS input that I have.

How the heck can I get this done? I’ve tried importing in keytool, I’ve tried chowning the keys…

I can’t for the life of me figure out how to even begin troubleshooting this.

  1. What format does the certificate and the key have to be in? Can the key be encrypted?
  2. Where do I put the certificates? Do I have to import them in the java keystore? Do I have to reference them in the server conf?
  3. If I have a .pfx, how can I convert this into the necessary files using openSSL? This is hard for me as I keep reading .pem format but the documentation references a .crt and a .key file.

Thank you so much!

The keys and certificates for inputs need to be PEM encoded. The file extensions .crt and .key refer typical to PEM encoded certificates and keys. You often also find the combination (.crt/.pem), which is even more confusing. You can place the files anywhere on the filesystem, as long as they’re readable by the graylog user. The openssl pkcs12 command can convert between the two formats.

You’ll also need to strip the encryption from the key, if there is any. See this report for reference: https://github.com/Graylog2/graylog2-server/issues/7432

Thanks Jrunu.

This is what I did.

converted the PCKS 12 like so
openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
openssl rsa -in graylog-key.pem -out graylog-keyunencrypted.pem

For my ingestion settings, I have Client authentication off, and the certificate tied to graylog-cetificate.pem and the key tied to graylog-keyunecrypted.pem.

I am getting connections but no messages flowing. This is the error I experience below:

I am still getting the following error:

2020-05-25T15:53:37.790Z ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ebdc3b389e107024e0039bf] (channel [id: 0x7e80ed7d, L:/10.1.9.150:6514 ! R:/34.67.106.77:6439]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN)
2020-05-25T15:53:38.124Z WARN  [AbstractTcpTransport] Client auth configured, but no authorized certificates / certificate authorities configured for input [Syslog TCP/5ebdc3b389e107024e0039bf]
2020-05-25T15:53:38.235Z ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ebdc3b389e107024e0039bf] (channel [id: 0x5d8368e5, L:/10.1.9.150:6514 ! R:/34.67.106.77:6441]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN)

Any Ideas?

Here’s a little result after starting the input

   2020-05-25T15:59:26.730Z INFO  [AbstractTcpTransport] Enabled TLS for input [Syslog TCP/5ebdc3b389e107024e0039bf]. key-file="/home/ubuntu/cert/2020cert/graylogkeydecrypted.pem" cert-file="/home/ubuntu/cert/2020cert/graylog-certificate.pem"
2020-05-25T15:59:26.730Z INFO  [InputStateListener] Input [Syslog TCP/5ebdc3b389e107024e0039bf] is now STARTING
2020-05-25T15:59:26.737Z INFO  [InputStateListener] Input [Syslog TCP/5ebdc3b389e107024e0039bf] is now RUNNING
2020-05-25T15:59:27.069Z WARN  [AbstractTcpTransport] Client auth configured, but no authorized certificates / certificate authorities configured for input [Syslog TCP/5ebdc3b389e107024e0039bf]
2020-05-25T15:59:27.069Z WARN  [AbstractTcpTransport] Client auth configured, but no authorized certificates / certificate authorities configured for input [Syslog TCP/5ebdc3b389e107024e0039bf]
2020-05-25T15:59:27.195Z ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ebdc3b389e107024e0039bf] (channel [id: 0xecc266cb, L:/10.1.9.150:6514 ! R:/34.67.106.78:45665]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN)
2020-05-25T15:59:27.207Z ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ebdc3b389e107024e0039bf] (channel [id: 0x929baa03, L:/10.1.9.150:6514 ! R:/34.67.106.78:45666]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN)
2020-05-25T15:59:33.990Z WARN  [AbstractTcpTransport] Client auth configured, but no authorized certificates / certificate authorities configured for input [Syslog TCP/5ebdc3b389e107024e0039bf]
2020-05-25T15:59:34.124Z ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ebdc3b389e107024e0039bf] (channel [id: 0xe0b4bf50, L:/10.1.9.150:6514 ! R:/34.67.106.78:45669]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN)
2020-05-25T15:59:34.176Z WARN  [AbstractTcpTransport] Client auth configured, but no authorized certificates / certificate authorities configured for input [Syslog TCP/5ebdc3b389e107024e0039bf]

Can you make sure that “TLS client authentication” is disabled? The warning about the “Client auth configured” shouldn’t appear in your log anymore.