Hello
one question, we have a cluster with two servers with the following Ips
10.75.160.59
10.75.160.60
The exposed certificate is logprod.com.ar
At the front end we enter without problems but when we select the option nodes we see the following error
javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.75.160.59 not verified:
The steps that we follow are based on
http://docs.graylog.org/en/2.4/pages/configuration/https.html
my docker-compose for the server 10.75.160.59
GRAYLOG_REST_LISTEN_URI: https://10.75.160.59:443/api/
GRAYLOG_WEB_LISTEN_URI: https://10.75.160.59:443/
rest_transport_uri = https://logprod.com.ar:443/api/
for the server 10.75.160.60
GRAYLOG_REST_LISTEN_URI: https://10.75.160.60:443/api/
GRAYLOG_WEB_LISTEN_URI: https://10.75.160.60:443/
rest_transport_uri = https://logprod.com.ar:443/api/
Can you help me solve the problem?
jochen
(Jochen)
May 18, 2018, 7:34am
2
There are multiple issues with your configuration.
First, rest_transport_uri
has to be the URI to the Graylog REST API of each node, not some load-balanced host name.
Second, if you wanted to override rest_transport_uri
with a environment variable (which you did with rest_listen_uri
and web_listen_uri
), you’d need to use the name GRAYLOG_REST_TRANSPORT_URI
, as described at https://github.com/Graylog2/graylog-docker/tree/2.4.4-1#configuration .
And last but not least, you should use web_endpoint_uri
and not rest_transport_uri
to specify the URI of the Graylog REST API used by the Graylog web interface, see http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html .
excellent, I am configured in the following way on a server
GRAYLOG_REST_LISTEN_URI: http://10.75.160.59:443/api/
GRAYLOG_WEB_LISTEN_URI: http://10.75.160.59:443/
GRAYLOG_WEB_ENDPOINT_URI: https://10.75.160.59:443/api/
and on the other server
GRAYLOG_REST_LISTEN_URI: http://10.75.160.60:443/api/
GRAYLOG_WEB_LISTEN_URI: http://10.75.160.60:443/
GRAYLOG_WEB_ENDPOINT_URI: https://10.75.160.60:443/api/
both servers have the TLS enabled with their respective certificates
GRAYLOG_REST_ENABLE_TLS: 'TRUE'
GRAYLOG_WEB_ENABLE_TLS: 'TRUE'
the error that gives me in console is the following
2018-05-18 11: 46: 49,972 WARN: org.graylog2.shared.rest.resources.ProxiedResource - Unable to call https://10.75.160.60/api/system/metrics/multiple on node <c7e5ba25-834a-4dbf -9304-435cc1efaba8>
graylog_1 | javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.75.160.60 not verified:
graylog_1 | certificate: sha256 / qWK94WyCTuxpOmCNSOGiJ6J0BRXFervMVxUnuOQxfAI =
graylog_1 | DN: CN = logprod.com.ar, OU = TI, O = Production, L = Federal Capital, ST = Buenos Aires, C = AR
graylog_1 | subjectAltNames: []
I understand that the CN = logprod.com.ar certificate does not match the server.
How should the certificate be generated?
Can you indicate the IP in the certificate?
jochen
(Jochen)
May 18, 2018, 12:36pm
4
tkruiz2005:
I understand that the CN = logprod.com.ar certificate does not match the server.
How should the certificate be generated?
Can you indicate the IP in the certificate?
Please refer to http://docs.graylog.org/en/2.4/pages/configuration/https.html#creating-a-self-signed-private-key-certificate
Also remember to add your self-signed certificate to the JVM trust store. Otherwise, Graylog won’t be able to verify the TLS connection.
And finally, web_endpoint_uri
specifies the URI of the Graylog REST API used by the Graylog web interface. Are you sure this shouldn’t be https://logprod.com.ar:9000/api/
in both cases?
Do you even need to secure the communication between the Graylog nodes with TLS (HTTPS) or would it be sufficient to put a reverse proxy in front of Graylog which terminates TLS connections?
effectively the api must listen in
GRAYLOG_WEB_ENDPOINT_URI: https://logprod.com.ar:443/api/
and the web interface in
https://logprod.com.ar:443
The certificate is installed in the JVM trust store.
The problem is that configured in this way does not monitor each node, I paste the image
I need to monitor each node, that is, the IP
10.75.160.59
10.75.160.60
Could it be that the problem is how the nodes appear in front of the cluster?
api / system / cluster / nodes returns
{“nodes”:[
{“cluster_id”:“d4aa0318-6470-401c-be5f-0a5fdf1c4a0a”,“node_id”:“5e78c613-2be3-4cfe-af9d-3158db3ce4fb”,“type”:“server”,“transport_address”:“https://logprod.com.ar:443/api/",“last_seen”:“2018-05-18T16:59:38.000Z”,“short_node_id”:“5e78c613”,“hostname”:“logprod.com.ar”,"is_master ”:false},
{“cluster_id”:“d4aa0318-6470-401c-be5f-0a5fdf1c4a0a”,“node_id”:“aa394970-c0e6-4d97-8d4c-d07bcc905a42”,“type”:“server”,“transport_address”:“https://logprod.com.ar:443/api/",“last_seen”:“2018-05-18T16:59:38.000Z”,“short_node_id”:“aa394970”,“hostname”:“logprod.com.ar”,"is_master ”:true},
“total”:2}
Can this be the problem?
jochen
(Jochen)
May 20, 2018, 5:08pm
7
So, what’s the complete configuration of these Graylog nodes now?
in both servers the configuration was like this
GRAYLOG_REST_LISTEN_URI: http://0.0.0.0:443/api/
GRAYLOG_WEB_LISTEN_URI: http://0.0.0.0:443/
GRAYLOG_WEB_ENDPOINT_URI: https://logprod.com.ar:443/api/
GRAYLOG_REST_TRANSPORT_URI: https://logprod.com.ar:443/api/
GRAYLOG_REST_ENABLE_CORS: 'FALSE'
GRAYLOG_REST_ENABLE_TLS: 'TRUE'
GRAYLOG_REST_TLS_CERT_FILE: /usr/share/graylog/data/config/cert.pem
GRAYLOG_REST_TLS_KEY_FILE: /usr/share/graylog/data/config/pkcs8-plain.pem
GRAYLOG_REST_TLS_KEY_PASSWORD: desa
GRAYLOG_WEB_ENABLE_TLS: 'TRUE'
GRAYLOG_WEB_TLS_CERT_FILE: /usr/share/graylog/data/config/cert.pem
GRAYLOG_WEB_TLS_KEY_FILE: /usr/share/graylog/data/config/pkcs8-plain.pem
GRAYLOG_WEB_TLS_KEY_PASSWORD: desa
change the address by 0.0.0.0 only
jochen
(Jochen)
May 21, 2018, 6:49pm
9
To quote myself from an earlier post in this topic:
exact. I understand that when listening through HTTPS I will need a certificate for each node to resolve the IP of each server.
to avoid generating as many certificates install nginx ( yum install rh-nginx18 ) so that it works as a reverse proxy
server {
listen 443 ssl;
server_name logprod.com.ar;
ssl on;
ssl_certificate cert.pem;
ssl_certificate_key mykey.pem;
ssl_trusted_certificate cert.pem;
ssl_session_timeout 1d;
ssl_session_cache shared: SSL: 50m;
ssl_session_tickets off;
location /
{
proxy_set_header Host $ http_host;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/api;
proxy_pass http://10.75.160.68:80;
}
location / api /
{
proxy_set_header Host $ http_host;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for;
proxy_pass http://10.75.160.68:80;
}
}
}
install nginx on a new node to test = 10.75.160.68
does not establish conversation with port 443.
should we set some other variable in nginx for example for TLS?
jochen
(Jochen)
May 24, 2018, 6:50am
11
I don’t see any of the IP addresses of the Graylog nodes in your nginx configuration…
Jochen has already been solved.
Each node was listening on port 443 and the GRAYLOG_REST_TRANSPORT_URI enabled to use the metrics
The solution consisted in having the certificate with all the ips alternatives that make up the farm.
that same certificate is registered in the JVM of each node
A topic seems to me to see in the documentation http://docs.graylog.org/en/2.4/pages/configuration/https.html
is that the openssl with the configured file openssl-graylog.cnf did not generate the SAN, a theme that I controlled on the site https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
Modify this value x509_extensions by req_extensions and it worked correctly.
Thank you very much for everything, very good product.
system
(system)
Closed
June 14, 2018, 11:45pm
13
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.