I followed the Debian guide to install graylog on a fresh install of Stretch. Then I spent about a day trying to get my openssl CA signed cert and key in a format that wouldn’t crash the JerseyService. I think at the end it didn’t like that the key was encrypted or that the key/cert didn’t have PEM as it’s file extension(even though it was in the X509/PKCS#8 /w PEM format).
Now I’m running into a problem of what to actually put in the server.conf. The config wants a web_listen_uri and rest_listen_uri, which if I put https://FQDN:9000, the server refuses the connection. So I put https://PUBLIC_IP:9000/ which works, but of course is now a problem since the TLS certificate uses the FQDN. I’ve got it working with web and api listen URI pointing to the public IP, and web_endpoint_uri pointing to FQDN but when I look at the graylog logs, it’s full of the following errors
2018-10-19T15:42:51.830-04:00 WARN [ProxiedResource] Unable to call https://10.70.1.207:9000/api/system/metrics/multiple on node <1dfb3f03-fe6e-4cb2-8036-edabaec6c414>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
which I think is going back to the fact that the TLS cert uses the FQDN, but IDK.
IMHO it seems like the config should ask what ports/IP should the Web and API listen on, and it should ask hostname and domain name for them and assemble what it needs out of that.