Installing SSL cert installation on 3.2 OVA

I’m having real issues installing a cert signed by our internal CA. Try as I might, I cannot get Greylog to accept the key. Here are the exact steps I’m taking. We don’t have any issues installing certs on all our other servers so I’m stumped as to what I’m missing here.

1. cd /etc/graylog/server
2. sudo nano openssl-graylog.cnf
3. Copy the config from here: https://docs.graylog.org/en/3.2/pages/configuration/https.html & customise to my reqs.
4. sudo openssl req -new -newkey rsa:2048 -sha256 -nodes -out cert-request.csr -keyout graylog.mydomain.net-key.pem -config openssl-graylog.cnf
5. sudo cat cert-request.csr
6. Copy CSR
7. Sign cert-request.csr on CA and download certificate chain as BASE64
8. Open the new-cert.p7b cert and copy it to the clipboard
9. sudo nano graylog.inexsys.net.p7b
10. Paste cert into new file and save it
11. sudo openssl pkcs7 -print_certs -in graylog.mydomain.net.p7b -out graylog.mydomain.net-cert.pem
12. Point /etc/graylog/server/server.cfg to the cert & key locations:

http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/graylog.mydomain.net-cert.pem
http_tls_key_file = /etc/graylog/server/graylog.mydomain.net-key.pem

I’ve tried every conceivable way to get this to work but everytime, the logs read:

2020-05-31T02:41:05.160+01:00 ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/graylog/server/graylog.mydomain.net-key.pem
        at org.graylog2.configuration.HttpConfiguration.validateTlsConfig(HttpConfiguration.java:252) ~[graylog.jar:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_252]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_252]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_252]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_252]
        at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
        at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?]
        at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:100) ~[graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:351) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.readConfiguration(CmdLineTool.java:344) [graylog.jar:?]
        at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:178) [graylog.jar:?]
        at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]

Could it be as simple as file permissions on the key? Remember the graylog user will need to be able to read it.

Already covered that before posting! In a point of having nothing left to try, I 777’ed it.

graylog@graylog:~$ ls -la /etc/graylog/server/
total 61452
drwxr-xr-x 2 root root     4096 May 31 15:48 .
drwxr-xr-x 3 root root     4096 Mar 19 19:16 ..
-rwxrwxrwx 1 root root 62749402 May 31 15:48 GeoLite2-City.mmdb
-rw-r--r-- 1 root root     2008 Mar 19 18:56 log4j2.xml
-rw-r--r-- 1 root root       37 Mar 19 19:16 node-id
-rw-r--r-- 1 root root     1565 May 31 01:52 openssl.cfg
-rw-r--r-- 1 root root      580 May 31 02:28 openssl-graylog.cnf
-rw-r--r-- 1 root root    33895 May 31 12:43 server.conf
graylog@graylog:~$

Am I crazy or are the graylog.mydomain.net-cert.pem and graylog.mydomain.net-key.pem files not in the directory output you posted?

You’re not crazy! I removed them when they continually failed to revert back to http. Didn’t think of that when I posted my directory contents on this thread.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.