(tkruiz2005) #1


one question, we have a cluster with two servers with the following Ips

The exposed certificate is

At the front end we enter without problems but when we select the option nodes we see the following error Hostname not verified:

The steps that we follow are based on

my docker-compose for the server


  rest_transport_uri =

for the server


  rest_transport_uri =

Can you help me solve the problem?

(Jochen) #2

There are multiple issues with your configuration.

First, rest_transport_uri has to be the URI to the Graylog REST API of each node, not some load-balanced host name.

Second, if you wanted to override rest_transport_uri with a environment variable (which you did with rest_listen_uri and web_listen_uri), you’d need to use the name GRAYLOG_REST_TRANSPORT_URI, as described at

And last but not least, you should use web_endpoint_uri and not rest_transport_uri to specify the URI of the Graylog REST API used by the Graylog web interface, see

(tkruiz2005) #3

excellent, I am configured in the following way on a server


and on the other server


both servers have the TLS enabled with their respective certificates


the error that gives me in console is the following

2018-05-18 11: 46: 49,972 WARN: - Unable to call on node <c7e5ba25-834a-4dbf -9304-435cc1efaba8>
graylog_1 | Hostname not verified:
graylog_1 | certificate: sha256 / qWK94WyCTuxpOmCNSOGiJ6J0BRXFervMVxUnuOQxfAI =
graylog_1 | DN: CN =, OU = TI, O = Production, L = Federal Capital, ST = Buenos Aires, C = AR
graylog_1 | subjectAltNames: []

I understand that the CN = certificate does not match the server.

How should the certificate be generated?

Can you indicate the IP in the certificate?

(Jochen) #4

Please refer to

Also remember to add your self-signed certificate to the JVM trust store. Otherwise, Graylog won’t be able to verify the TLS connection.

And finally, web_endpoint_uri specifies the URI of the Graylog REST API used by the Graylog web interface. Are you sure this shouldn’t be in both cases?

Do you even need to secure the communication between the Graylog nodes with TLS (HTTPS) or would it be sufficient to put a reverse proxy in front of Graylog which terminates TLS connections?

(tkruiz2005) #5

effectively the api must listen in


and the web interface in

The certificate is installed in the JVM trust store.

The problem is that configured in this way does not monitor each node, I paste the image

I need to monitor each node, that is, the IP

(tkruiz2005) #6

Could it be that the problem is how the nodes appear in front of the cluster?

api / system / cluster / nodes returns


Can this be the problem?

(Jochen) #7

So, what’s the complete configuration of these Graylog nodes now?

(tkruiz2005) #8

in both servers the configuration was like this



  GRAYLOG_REST_TLS_CERT_FILE: /usr/share/graylog/data/config/cert.pem
  GRAYLOG_REST_TLS_KEY_FILE: /usr/share/graylog/data/config/pkcs8-plain.pem

  GRAYLOG_WEB_TLS_CERT_FILE: /usr/share/graylog/data/config/cert.pem
  GRAYLOG_WEB_TLS_KEY_FILE: /usr/share/graylog/data/config/pkcs8-plain.pem

change the address by only

(Jochen) #9

To quote myself from an earlier post in this topic:

(tkruiz2005) #10

exact. I understand that when listening through HTTPS I will need a certificate for each node to resolve the IP of each server.

to avoid generating as many certificates install nginx ( yum install rh-nginx18 ) so that it works as a reverse proxy

   server {
        listen 443 ssl;

        ssl on;
        ssl_certificate cert.pem;
        ssl_certificate_key mykey.pem;
        ssl_trusted_certificate cert.pem;

        ssl_session_timeout 1d;
        ssl_session_cache shared: SSL: 50m;
        ssl_session_tickets off;

       location /
            proxy_set_header Host $ http_host;
            proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
            proxy_set_header X-Graylog-Server-URL https://$server_name/api;

        location / api /
            proxy_set_header Host $ http_host;
            proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;

install nginx on a new node to test =

does not establish conversation with port 443.

should we set some other variable in nginx for example for TLS?

(Jochen) #11

I don’t see any of the IP addresses of the Graylog nodes in your nginx configuration…

(tkruiz2005) #12

Jochen has already been solved.

Each node was listening on port 443 and the GRAYLOG_REST_TRANSPORT_URI enabled to use the metrics

The solution consisted in having the certificate with all the ips alternatives that make up the farm.

that same certificate is registered in the JVM of each node

A topic seems to me to see in the documentation

is that the openssl with the configured file openssl-graylog.cnf did not generate the SAN, a theme that I controlled on the site

Modify this value x509_extensions by req_extensions and it worked correctly.

Thank you very much for everything, very good product.

(system) closed #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.