javax.net.ssl.SSLPeerUnverifiedException


(tkruiz2005) #1

Hello

one question, we have a cluster with two servers with the following Ips

10.75.160.59
10.75.160.60

The exposed certificate is logprod.com.ar

At the front end we enter without problems but when we select the option nodes we see the following error

javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.75.160.59 not verified:

The steps that we follow are based on

http://docs.graylog.org/en/2.4/pages/configuration/https.html

my docker-compose for the server 10.75.160.59

  GRAYLOG_REST_LISTEN_URI: https://10.75.160.59:443/api/
  GRAYLOG_WEB_LISTEN_URI: https://10.75.160.59:443/

  rest_transport_uri = https://logprod.com.ar:443/api/

for the server 10.75.160.60

  GRAYLOG_REST_LISTEN_URI: https://10.75.160.60:443/api/
  GRAYLOG_WEB_LISTEN_URI: https://10.75.160.60:443/

  rest_transport_uri = https://logprod.com.ar:443/api/

Can you help me solve the problem?


(Jochen) #2

There are multiple issues with your configuration.

First, rest_transport_uri has to be the URI to the Graylog REST API of each node, not some load-balanced host name.

Second, if you wanted to override rest_transport_uri with a environment variable (which you did with rest_listen_uri and web_listen_uri), you’d need to use the name GRAYLOG_REST_TRANSPORT_URI, as described at https://github.com/Graylog2/graylog-docker/tree/2.4.4-1#configuration.

And last but not least, you should use web_endpoint_uri and not rest_transport_uri to specify the URI of the Graylog REST API used by the Graylog web interface, see http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html.


(tkruiz2005) #3

excellent, I am configured in the following way on a server

  GRAYLOG_REST_LISTEN_URI: http://10.75.160.59:443/api/
  GRAYLOG_WEB_LISTEN_URI: http://10.75.160.59:443/
  GRAYLOG_WEB_ENDPOINT_URI: https://10.75.160.59:443/api/

and on the other server

  GRAYLOG_REST_LISTEN_URI: http://10.75.160.60:443/api/
  GRAYLOG_WEB_LISTEN_URI: http://10.75.160.60:443/
  GRAYLOG_WEB_ENDPOINT_URI: https://10.75.160.60:443/api/

both servers have the TLS enabled with their respective certificates

  GRAYLOG_REST_ENABLE_TLS: 'TRUE'
  GRAYLOG_WEB_ENABLE_TLS: 'TRUE'

the error that gives me in console is the following

2018-05-18 11: 46: 49,972 WARN: org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://10.75.160.60/api/system/metrics/multiple on node <c7e5ba25-834a-4dbf -9304-435cc1efaba8>
graylog_1 | javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.75.160.60 not verified:
graylog_1 | certificate: sha256 / qWK94WyCTuxpOmCNSOGiJ6J0BRXFervMVxUnuOQxfAI =
graylog_1 | DN: CN = logprod.com.ar, OU = TI, O = Production, L = Federal Capital, ST = Buenos Aires, C = AR
graylog_1 | subjectAltNames: []

I understand that the CN = logprod.com.ar certificate does not match the server.

How should the certificate be generated?

Can you indicate the IP in the certificate?


(Jochen) #4

Please refer to http://docs.graylog.org/en/2.4/pages/configuration/https.html#creating-a-self-signed-private-key-certificate

Also remember to add your self-signed certificate to the JVM trust store. Otherwise, Graylog won’t be able to verify the TLS connection.

And finally, web_endpoint_uri specifies the URI of the Graylog REST API used by the Graylog web interface. Are you sure this shouldn’t be https://logprod.com.ar:9000/api/ in both cases?

Do you even need to secure the communication between the Graylog nodes with TLS (HTTPS) or would it be sufficient to put a reverse proxy in front of Graylog which terminates TLS connections?


(tkruiz2005) #5

effectively the api must listen in

GRAYLOG_WEB_ENDPOINT_URI: https://logprod.com.ar:443/api/

and the web interface in

https://logprod.com.ar:443

The certificate is installed in the JVM trust store.

The problem is that configured in this way does not monitor each node, I paste the image

I need to monitor each node, that is, the IP

10.75.160.59
10.75.160.60


(tkruiz2005) #6

Could it be that the problem is how the nodes appear in front of the cluster?

api / system / cluster / nodes returns

{“nodes”:[
{“cluster_id”:“d4aa0318-6470-401c-be5f-0a5fdf1c4a0a”,“node_id”:“5e78c613-2be3-4cfe-af9d-3158db3ce4fb”,“type”:“server”,“transport_address”:“https://logprod.com.ar:443/api/",“last_seen”:“2018-05-18T16:59:38.000Z”,“short_node_id”:“5e78c613”,“hostname”:“logprod.com.ar”,"is_master”:false},
{“cluster_id”:“d4aa0318-6470-401c-be5f-0a5fdf1c4a0a”,“node_id”:“aa394970-c0e6-4d97-8d4c-d07bcc905a42”,“type”:“server”,“transport_address”:“https://logprod.com.ar:443/api/",“last_seen”:“2018-05-18T16:59:38.000Z”,“short_node_id”:“aa394970”,“hostname”:“logprod.com.ar”,"is_master”:true},
“total”:2}

Can this be the problem?


(Jochen) #7

So, what’s the complete configuration of these Graylog nodes now?


(tkruiz2005) #8

in both servers the configuration was like this

  GRAYLOG_REST_LISTEN_URI: http://0.0.0.0:443/api/
  GRAYLOG_WEB_LISTEN_URI: http://0.0.0.0:443/

  GRAYLOG_WEB_ENDPOINT_URI: https://logprod.com.ar:443/api/
  GRAYLOG_REST_TRANSPORT_URI: https://logprod.com.ar:443/api/
  GRAYLOG_REST_ENABLE_CORS: 'FALSE'

  GRAYLOG_REST_ENABLE_TLS: 'TRUE'
  GRAYLOG_REST_TLS_CERT_FILE: /usr/share/graylog/data/config/cert.pem
  GRAYLOG_REST_TLS_KEY_FILE: /usr/share/graylog/data/config/pkcs8-plain.pem
  GRAYLOG_REST_TLS_KEY_PASSWORD: desa

  GRAYLOG_WEB_ENABLE_TLS: 'TRUE'
  GRAYLOG_WEB_TLS_CERT_FILE: /usr/share/graylog/data/config/cert.pem
  GRAYLOG_WEB_TLS_KEY_FILE: /usr/share/graylog/data/config/pkcs8-plain.pem
  GRAYLOG_WEB_TLS_KEY_PASSWORD: desa

change the address by 0.0.0.0 only


(Jochen) #9

To quote myself from an earlier post in this topic:


(tkruiz2005) #10

exact. I understand that when listening through HTTPS I will need a certificate for each node to resolve the IP of each server.

to avoid generating as many certificates install nginx ( yum install rh-nginx18 ) so that it works as a reverse proxy

   server {
        listen 443 ssl;
        server_name logprod.com.ar;

        ssl on;
        ssl_certificate cert.pem;
        ssl_certificate_key mykey.pem;
        ssl_trusted_certificate cert.pem;

        ssl_session_timeout 1d;
        ssl_session_cache shared: SSL: 50m;
        ssl_session_tickets off;

       location /
        {
            proxy_set_header Host $ http_host;
            proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
            proxy_set_header X-Graylog-Server-URL https://$server_name/api;
            proxy_pass http://10.75.160.68:80;
        }

        location / api /
        {
            proxy_set_header Host $ http_host;
            proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
            proxy_pass http://10.75.160.68:80;
        }
    }
}

install nginx on a new node to test = 10.75.160.68

does not establish conversation with port 443.

should we set some other variable in nginx for example for TLS?


(Jochen) #11

I don’t see any of the IP addresses of the Graylog nodes in your nginx configuration…


(tkruiz2005) #12

Jochen has already been solved.

Each node was listening on port 443 and the GRAYLOG_REST_TRANSPORT_URI enabled to use the metrics

The solution consisted in having the certificate with all the ips alternatives that make up the farm.

that same certificate is registered in the JVM of each node

A topic seems to me to see in the documentation http://docs.graylog.org/en/2.4/pages/configuration/https.html

is that the openssl with the configured file openssl-graylog.cnf did not generate the SAN, a theme that I controlled on the site https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

Modify this value x509_extensions by req_extensions and it worked correctly.

Thank you very much for everything, very good product.


(system) #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.