I’m having real issues installing a cert signed by our internal CA. Try as I might, I cannot get Greylog to accept the key. Here are the exact steps I’m taking. We don’t have any issues installing certs on all our other servers so I’m stumped as to what I’m missing here.
- cd /etc/graylog/server
- sudo nano openssl-graylog.cnf
- Copy the config from here: https://docs.graylog.org/en/3.2/pages/configuration/https.html & customise to my reqs.
- sudo openssl req -new -newkey rsa:2048 -sha256 -nodes -out cert-request.csr -keyout graylog.mydomain.net-key.pem -config openssl-graylog.cnf
- sudo cat cert-request.csr
- Copy CSR
- Sign cert-request.csr on CA and download certificate chain as BASE64
- Open the new-cert.p7b cert and copy it to the clipboard
- sudo nano graylog.inexsys.net.p7b
- Paste cert into new file and save it
- sudo openssl pkcs7 -print_certs -in graylog.mydomain.net.p7b -out graylog.mydomain.net-cert.pem
- Point /etc/graylog/server/server.cfg to the cert & key locations:
http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/graylog.mydomain.net-cert.pem
http_tls_key_file = /etc/graylog/server/graylog.mydomain.net-key.pem
I’ve tried every conceivable way to get this to work but everytime, the logs read:
2020-05-31T02:41:05.160+01:00 ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/graylog/server/graylog.mydomain.net-key.pem
at org.graylog2.configuration.HttpConfiguration.validateTlsConfig(HttpConfiguration.java:252) ~[graylog.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_252]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_252]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_252]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_252]
at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?]
at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:100) ~[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:351) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.readConfiguration(CmdLineTool.java:344) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:178) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]