Java - certification issue

Hello,
Our graylog running behind Loadbalancer on two nodes.
Bought trusted certificate is linked to Loadbalancer’s hostname/IP
Certificate was imported on Loalbalancer + both Graylog nodes.
Https connection works well (thanks to web_endpoint_uri=https://Loadbalancer:9000/api), but due to some Java issues inputs doesn’t works in Graylog.
I imported plain-text certificate to JVM trust store (cacerts file), and also set Graylog for use this:
GRAYLOG_SERVER_JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64/jre/lib/security/cacerts
But Graylog still doesn’t works correctly:

2017-05-30T12:08:18.946+02:00 WARN [ProxiedResource] Unable to call https://FirstNodeHostname:9000/api/system/inputstates on node
javax.net.ssl.SSLPeerUnverifiedException: Hostname FirstNodeHostname not verified:

2017-05-30T12:23:49.920+02:00 WARN [ProxiedResource] Unable to call https://FirstNodeHostname:9000/api/system/metrics/multiple on node
javax.net.ssl.SSLPeerUnverifiedException: Hostname FirstNodeHostname not verified:

The same also for SecondNodeHostname

Can you help me how to solve this problem please?
Thanks in advance.

your certificate in graylog is not valid - because you have one for Loadbalancer (as you have written) and not for FirstNodeHostname. That is the reason the cert is not able to be verified.

Thanks for information Jan, I thought it.
If we buy One certificate which will contain Common Name (Loadbalancer’s hostname) and two Subject Alternative Names (SANs) (both Graylog hostnames), will it works correctly please?

that should work. yes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.