Java - certification issue


(David Papay) #1

Hello,
Our graylog running behind Loadbalancer on two nodes.
Bought trusted certificate is linked to Loadbalancer’s hostname/IP
Certificate was imported on Loalbalancer + both Graylog nodes.
Https connection works well (thanks to web_endpoint_uri=https://Loadbalancer:9000/api), but due to some Java issues inputs doesn’t works in Graylog.
I imported plain-text certificate to JVM trust store (cacerts file), and also set Graylog for use this:
GRAYLOG_SERVER_JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64/jre/lib/security/cacerts
But Graylog still doesn’t works correctly:

2017-05-30T12:08:18.946+02:00 WARN [ProxiedResource] Unable to call https://FirstNodeHostname:9000/api/system/inputstates on node
javax.net.ssl.SSLPeerUnverifiedException: Hostname FirstNodeHostname not verified:

2017-05-30T12:23:49.920+02:00 WARN [ProxiedResource] Unable to call https://FirstNodeHostname:9000/api/system/metrics/multiple on node
javax.net.ssl.SSLPeerUnverifiedException: Hostname FirstNodeHostname not verified:

The same also for SecondNodeHostname

Can you help me how to solve this problem please?
Thanks in advance.


(Jan Doberstein) #2

your certificate in graylog is not valid - because you have one for Loadbalancer (as you have written) and not for FirstNodeHostname. That is the reason the cert is not able to be verified.


(David Papay) #3

Thanks for information Jan, I thought it.
If we buy One certificate which will contain Common Name (Loadbalancer’s hostname) and two Subject Alternative Names (SANs) (both Graylog hostnames), will it works correctly please?


(Jan Doberstein) #4

that should work. yes


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.