Issues with reverse DNS and picky certs


#1

Hi! I’m having issues getting graylog to use DNS to resolve hostnames. The error message is as follows:

2018-08-02T21:15:17.270-04:00 WARN [ProxiedResource] Unable to call https://XXX.XXX.XXX.XXX:9000/api/system/metrics/multiple on node <31861ddf-05a5-434f-8d19-dc00e3c33d9a>
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX.XXX.XXX.XXX not verified:

Everything else seems to work fine. The cert our organization uses is a wildcard that only allows the form of *.cs.universityname.edu which raises the SSLPeerUnverifiedException as it cannot use the cert to validate IPs. Our DNS is also configured to correctly point the IP graylog tries to use to a hostname of the correct form.

I noticed there a way to specify alt_names such as IPs with self-signed certs but we would strongly prefer to use the cert we already have for our dept.

EDIT: I created a self-signed cert with the alt_names filled in with the server’s IP address and added it to the trust store. It works fine. I still would greatly prefer to use our cert signed by a legitimate CA. Those things aren’t cheap. :stuck_out_tongue:

Thank you.


(Jan Doberstein) #2

when your Graylog configuration contain IP adresses you could tell Graylog to use the hostname for the API connection:

The endpoint is the Graylog API


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.