Is HTTPS/TLS possible with a CA signed certificate?


#1

I followed the Debian guide to install graylog on a fresh install of Stretch. Then I spent about a day trying to get my openssl CA signed cert and key in a format that wouldn’t crash the JerseyService. I think at the end it didn’t like that the key was encrypted or that the key/cert didn’t have PEM as it’s file extension(even though it was in the X509/PKCS#8 /w PEM format).

Now I’m running into a problem of what to actually put in the server.conf. The config wants a web_listen_uri and rest_listen_uri, which if I put https://FQDN:9000, the server refuses the connection. So I put https://PUBLIC_IP:9000/ which works, but of course is now a problem since the TLS certificate uses the FQDN. I’ve got it working with web and api listen URI pointing to the public IP, and web_endpoint_uri pointing to FQDN but when I look at the graylog logs, it’s full of the following errors

2018-10-19T15:42:51.830-04:00 WARN [ProxiedResource] Unable to call https://10.70.1.207:9000/api/system/metrics/multiple on node <1dfb3f03-fe6e-4cb2-8036-edabaec6c414>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

which I think is going back to the fact that the TLS cert uses the FQDN, but IDK.

IMHO it seems like the config should ask what ports/IP should the Web and API listen on, and it should ask hostname and domain name for them and assemble what it needs out of that.


(Jan Doberstein) #2

Did you have seen this part of the documentation?

http://docs.graylog.org/en/2.4/pages/secure/sec_graylog_beats.html


#3

I read through that documentation and github ext files. I re-issued my key and cert files with the same key usage, etc. as the ext file. Didn’t fix the warnings.

So I tried changing the URIs for everything to what you see below:
web_listen_uri = https://10.x.x.x:9000/
web_endpoint_uri = https://graylog.domain.local:9000/api/
rest_listen_uri = https://10.x.x.x:9000/api/
rest_transport_uri = https://graylog.domain.local:9000/api/

I can access the web interface like before but I’m getting new different warnings/errors in /var/log/graylog-server/server.log

q2018-10-22T13:27:46.820-04:00 WARN [ProxiedResource] Unable to call https://graylog.domain.local:9000/api/system/metrics/multiple on node <1dfb3f03-fe6e-4cb2-8036-edabaec6c414>
java.net.ConnectException: Failed to connect to graylog.domain.local/127.0.1.1:9000
** at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:240) ~[graylog.jar:?]**
** at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:158) ~[graylog.jar:?]**
** at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256) ~[graylog.jar:?]**
** at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134) ~[graylog.jar:?]**
** at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113) ~[graylog.jar:?]**
** at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]**
** at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]**
** at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]**
** at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]**
** at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]**
** at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]**
** at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]**

IDK where that 127.0.1.1:9000 is coming from. I can’t find it anywhere in the server.conf


#4

Well I figured it out, I think. Debian during install adds the hostname and FQDN to the /etc/hosts file as
127.0.1.1 graylog.domain.local graylog

For whatever reason this causes issues with parts of the API. Removing those entries fixes the problem, but what problems are going to arise from removing it?

Again I think this could have been fixed by requiring hostname and domain name so you know when you are pointing to yourself. I created a case on github that I will update with my finding.


(Jan Doberstein) #5

REF: https://github.com/Graylog2/graylog2-server/issues/5232


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.