Inputs not working after SSL enabled

1. Describe your incident:

We’ve followed : https://docs.graylog.org/v1/docs/https

We’ve imported certificates and enabled the SSL.
We can connect to graylog with HTTPS.
But, the Inputs don’t start.
With the error in the log :

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2. Describe your environment:
Ubuntu Server 20.04 LTS

• Package Version:
  4.2.5+59802bf

• Service logs, configurations, and environment variables:

[ProxiedResource] Unable to call https://mydomain.net:9000/api/system/inputstates on node : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Do we miss something ?

Thanks for your help.

Hello,

Insure the certificates used on the INPUT are accessible to Graylog.

In this example below for testing purposes. I use Graylog Directory, since its owned my Graylog

[root@graylog graylog]# pwd
/etc/graylog
[root@graylog graylog]# ls -al
total 48K
drwxrwxrwx.   4 graylog           graylog           4.0K Feb  7 22:45 .
drwxr-xr-x. 125 root              root              8.0K Apr  8 18:49 ..
drwxr-xr-x.   2 graylog-forwarder graylog-forwarder   62 Jan  6 20:45 forwarder
drwxr-xr-x.   2 graylog           graylog             98 Apr 13 16:23 server
-rwxr-xr-x.   1 graylog           graylog           1.4K Dec 16  2020 cert3.pem
-rwxr-xr-x.   1 graylog           graylog           1.6K Dec 16  2020 graylog3-certificate.pem
-rwxr-xr-x.   1 graylog           graylog           1.8K Dec 16  2020 graylog3-key.pem
-rw-r--r--.   1 root              root               183 Feb  7 22:45 mongodb_ftdc.te

image1482×465 35 KB

I have also seen this error when the wrong certificates are used and/or not accessible in the Keystore.

EDIT: This may help understand why your receiving that error.

• Unable to connect to SSL services due to "PKIX Path Building Failed" error | Atlassian Support | Atlassian Documentation

Hi,
Thanks for your help.
I’ve tried your solution. No chance.
I’ll try with a fresh new installation of Graylog.

Regards,

I’ve installed a new graylog server.
And followed the : Ubuntu installation - Installing Graylog
Then enabled tls in the conf file
Following : Using HTTPS - Configuring Graylog

Btw, I can connect to the web interface with HTTPS.

But same error with INPUTS…

WARN [ProxiedResource] Unable to call https://mydomain.net:9000/api/system/inputstates on node : PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Thanks.

Yep I had this happen to myself. It can be frustrating. Only advice I can give you is what I showed you above. Since you able to connect to the WEB using https://some_domain.com:9000 this kind of tell me something with the Certificates or perhaps the keystore. Need more data to know for sure.

The error occurs because Graylog Web module (or rather, the Java runtime environment JRE that runs it) was not able to validate the certificate presented by the https URL’s web service. It means that the trusted root certificate store of the JRE does not contain the CA certificates of that signed this service’s certificate.

Some suggestions.

Did you insert ca.pem certificate in the keystore?
Are you using the JAVA default keystore? If not make sure its defined.

Showing you Graylog configuration would help also. If you do post make sure you remove personal info.

cat /etc/graylog/server/server.conf | egrep -v "^\s*(#|$)"

hi, i just had this issue as well…
Inputs show failed, but ports are open and logs are coming in - Graylog - Graylog Community

you have to import your cert into the trusted store ( update-ca-trust man page - ca-certificates | ManKier), but also it seem you need to use a cert for graylog that has BOTH the url and IP in it. (Using HTTPS - Configuring Graylog)

This is the server.conf file:

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = ***********************************
root_password_sha2 = **********************************
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = mydomain.net:9000
http_enable_tls = true
http_tls_cert_file = /etc/graylog/graylog-certificate.pem
http_tls_key_file = /etc/graylog/graylog-key.pem
http_tls_key_password = **********
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32

I’m using the default installation. I think, it’s the default keystore.
We’re trying to use a Signed certificate. It’s a wildcard certificate *.mydomain.net

Thanks.

Hello,

Maybe try add this line and execute a restart for Graylog service

http_publish_uri = https://mydomain.net:9000/

What certificate did you use for the Keystore?

maybe your linux install does not have the root and intermediate certs in the keystore. i would import them both using update-ca-trust and see if that helps.

otherwise you might be better off following this, i used this and it worked for me
Create your own Certificate Authority (CA) using OpenSSL - arminreiter.com

Hi,
I use a signed certificate. And I can log on the web UI using HTTPS. Only the inputs refuse to start.

Thanks.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.