Implementing TLS - Step by Step

Graylog Central (peer support)
1

I am using latest infos as of 12/31/2023 - from the doc create by Drew Miranda

HOW-TO GUIDE: SECURING GRAYLOG WITH TLS


I am getting this error from the server.log 

2024-01-01T18:53:42.398-08:00 ERROR [AuditLogger] Unable to write audit log entry because there is no valid license.
2024-01-01T18:53:43.447-08:00 WARN  [ProxiedResource] Failed to call API on node <54a0af47-9fcd-4198-bab2-88c70dbf2759>, cause: unexpected end of stream on http://www.usafvet.com:9000/... (duration: 4 ms)
2024-01-01T18:53:43.480-08:00 WARN  [ProxiedResource] Failed to call API on node <54a0af47-9fcd-4198-bab2-88c70dbf2759>, cause: unexpected end of stream on http://www.usafvet.com:9000/... (duration: 6 ms)
2024-01-01T18:53:45.494-08:00 WARN  [ProxiedResource] Failed to call API on node <54a0af47-9fcd-4198-bab2-88c70dbf2759>, cause: unexpected end of stream on http://www.usafvet.com:9000/... (duration: 7 ms)
2024-01-01T18:5

-Server info: Single Node with Let's cript Cert - 
-Ubuntu 2204 LTS - Digital Ocean Command Line install option
-Graylog 5.2
-Elasticsearch 17.10 - latest version
Graylog 5.2.2+8eab621 on graylog (Eclipse Adoptium 17.0.9 on Linux 5.15.0-91-generic)

- I am 99% there - once i solved this issue I will post my note in this thread.
2

issue is solved by adding the ‘s’ to the uri
http_publish_uri = https://www.usafvet.com:9000/

So here is my note current 01/01/2024: copy & paste line by line - replaced with your own Certificate info and URL

===============================================================
Implementing TLS Step by Step
-Server Ubuntu 2204 LTS Digital Ocean Command Line Option Installed
-Import Certificate pfx - create with Let’s Cript + Certbot
-Single node graylog 5.2 + Elasticsearch latest version
Graylog 5.2.2+8eab621 on graylog (Eclipse Adoptium 17.0.9 on Linux 5.15.0-91-generic)

==============================================================

============================
In A Hurry copy and paste line by line exclude the comment on the rights

openssl pkcs12 -info -in usafvet.com-2024.pfx # Cert information
openssl pkcs12 -in usafvet.com-2024.pfx -nocerts -nodes -out keypair.key # Extract Private & Public Key Pair
openssl pkcs8 -in keypair.key -topk8 -out private.key #Extract Private Key
openssl pkcs12 -in usafvet.com-2024.pfx -clcerts -nokeys -out public.text.pem #Extract Public Certificate to TXT
openssl x509 -in public.text.pem -out public.cert.pem #Clean Up Certificate Convert to Public Cert pem format
openssl pkcs12 -in usafvet.com-2024.pfx -cacerts -chain -nokeys -out public.chain.text.pem #Extract Public Key Chains TXT
openssl x509 -in public.chain.text.pem -out public.chain.pem #Convert Public Key Chain TXT to Pubic Key Chains pem format
cat public.cert.pem public.chain.pem > public.pem #Combine Public Key + Public Key Chain to Final Public Key Pem format
openssl pkcs8 -in private.key -topk8 -out privkey.pkcs8.pem # Convert private key to pkcs8 format
mv privkey.pkcs8.pem private.key #Rename converted Privkey file name to: private.key
mkdir /usr/share/graylog-server/tls/ #Create tls to store Public & Private Key
cp public.pem /usr/share/graylog-server/tls/ #Copy Public Key to Graylog folder
cp private.key /usr/share/graylog-server/tls/ #Copy Private key to Graylog folder
sudo chown graylog:graylog /usr/share/graylog-server/tls/* #Change Owner ship to Graylog
sudo chmod 600 /usr/share/graylog-server/tls/private.key #Set Private Key Permission to root
sudo chmod 644 usr/share/graylog-server/tls/public.pem #Set Public Key Permission to World Read
cp /usr/share/graylog-server/jvm/lib/security/cacerts /etc/graylog/graylog.jks #Backup Copy of Current CA Cert
sudo chown graylog:graylog /etc/graylog/graylog.jks #Change Ownership CA Cert to Graylog
sudo keytool -importcert -keystore /etc/graylog/graylog.jks -storepass changeit -alias cachain -file public.pem #Import Your Public Certifcate
nano /etc/default/graylog-server
Add the following to the first line starting with GRAYLOG_SERVER_JAVA_OPTS:
-Djavax.net.ssl.trustStore=/etc/graylog/graylog.jks

Default Java options for heap and garbage collection. Enable TLS Custom Cert

GRAYLOG_SERVER_JAVA_OPTS=“-Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djavax.javax.net.ssl.trustStore=/etc/graylog/graylog.jks”
nano /etc/graylog/server/server.conf
http_publish_uri = https://www.mydomain.com:9000/
http_external_uri =https://www.mydomain.com:9000/
http_enable_tls = true
http_tls_cert_file = /usr/share/graylog-server/tls/public.pem
http_tls_key_file =/usr/share/graylog-server/tls/private.key
http_tls_key_password = YourPassWord

-Restart Services
sudo systemctl restart mongod.service
sudo systemctl restart elasticsearch.service
sudo systemctl restart graylog-server.service

-Finally check for All Service Running Status
sudo systemctl --type=service --state=active | grep mongod
sudo systemctl --type=service --state=active | grep elasticsearch
sudo systemctl --type=service --state=active | grep graylog

======================================================================================================
Hope this help

3

Java Keytool Command not available in system. Install java with apt-get version 17.xxx

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.