al3x
October 19, 2017, 10:43am
1
Hi,
I have a problem setting up graylog with https. After enabling https in the server.conf the JerseyService won’t start.
Error message:
ERROR [ServiceManager] Service JerseyService [FAILED] has failed in the STARTING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
I strictly followed the graylog documentation
http://docs.graylog.org/en/2.3/pages/configuration/https.html
http://docs.graylog.org/en/2.3/pages/configuration/web_interface.html#configuring-webif-nginx
When I disable https in the server.conf everything works fine.
I already checked some of the following articles, but with no success:
Hello,
I contact you because I have a problem with Apache.
When I use Apache without http it works correctly but when that pass in http the following error appears:
Proxy Error
The proxy server received an invalid
response from an upstream server.
The proxy server could not handle the request GET /.
Reason: Error reading from remote server
Apache/2.4.10 (Debian) Server at graylog.services.cordonweb.com Port 443
Except(Off) I connect well with the addresse to inform in "RequestHeader"
T…
Hello,
I am creating a new graylog cluster with elasticsearch and mongodb. Both elasticsearch and mongodb looks to be working fine, but im running into the error below. I can’t determine what is the source of the error, since all I found is Service JerseyService [FAILED], and I did not find any resources online that explains what that service is.
Any advice would be much appreciated
mongo-3.2
graylog- 2.3
elasticsearch 5.5
2017-08-31T21:28:04.629Z INFO [CmdLineTool] Loaded plugin: Elast…
opened 03:48PM - 28 Aug 16 UTC
closed 07:43PM - 28 Sep 16 UTC
to-verify
I'm not sure if it's an graylog issue…
## Expected Behavior
When I place an pkc… s8 file and a (self-signed) certificate on the system and specifiy the path to those files correctly for an input, I'd exspect that an acceptor is created.
## Current Behavior
When starting input it fails:
```
2016-08-28T17:41:49.671+02:00 INFO [AbstractTcpTransport] Enabled TLS for input [Syslog TCP/57a61059239dfd04c6eea408]. key-file="/etc/pki/tls/private/example.com-graylog.pkcs8" cert-file="/etc/pki/tls/certs/example.com-graylog.crt"
2016-08-28T17:41:49.672+02:00 INFO [InputStateListener] Input [Syslog TCP/57a61059239dfd04c6eea408] is now STARTING
2016-08-28T17:41:49.675+02:00 INFO [InputStateListener] Input [Syslog TCP/57a61059239dfd04c6eea408] is now RUNNING
2016-08-28T17:41:52.135+02:00 WARN [AbstractNioSelector] Failed to initialize an accepted socket.
java.security.cert.CertificateParsingException: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49)
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169) ~[?:1.8.0_101]
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1804) ~[?:1.8.0_101]
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) ~[?:1.8.0_101]
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:471) ~[?:1.8.0_101]
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356) ~[?:1.8.0_101]
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_101]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:90) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:100) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.initTrustStore(KeyUtil.java:73) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:199) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:186) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:182) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:110) ~[graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_101]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_101]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_101]
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49)
at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) ~[?:1.8.0_101]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281) ~[?:1.8.0_101]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:356) ~[?:1.8.0_101]
at sun.security.x509.CertificateAlgorithmId.<init>(CertificateAlgorithmId.java:79) ~[?:1.8.0_101]
at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:646) ~[?:1.8.0_101]
at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) ~[?:1.8.0_101]
... 21 more
```
## Steps to Reproduce (for bugs)
```
allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
override_source: <empty>
port: 6514
recv_buffer_size:
store_full_message: false
tcp_keepalive: false
tls_cert_file: /etc/pki/tls/certs/example.com-graylog.crt
tls_client_auth: required
tls_client_auth_cert_file: /etc/pki/tls/graylog-client-certs
tls_enable: true
tls_key_file: /etc/pki/tls/private/example.com-graylog.pkcs8
tls_key_password: ********
use_null_delimiter: false
```
## Context
I created a key by invoking the following commands:
```
# openssl req -nodes -newkey rsa:4096 -keyout /etc/pki/tls/private/example.com-graylog.key -out /etc/pki/tls/certs/example.com-graylog.csr -subj "/C=DE/ST=NRW/L=Dortmund/O=ACME/OU=Example Unit/CN=example.com"
# openssl pkcs8 -topk8 -in /etc/pki/tls/private/example.com-graylog.key -inform pem -out /etc/pki/tls/private/example.com-graylog.pkcs8 -outform pem -nocrypt
# chown graylog.root /etc/pki/tls/private/example.com-graylog.pkcs8
```
The certificate was created using XCA.
```
Owner: CN=example.com, OU=Example Unit, O=ACME, L=Dortmund, ST=NRW, C=DE
Issuer: EMAILADDRESS=mail@example.com, CN=ACME CA, OU=ACME CA, O=ACME, L=Dortmund, ST=NRW, C=DE
Serial number: 1a
Valid from: Sun Aug 28 02:00:00 CEST 2016 until: Sat Aug 28 01:59:59 CEST 2021
Certificate fingerprints:
MD5: A7:72:35:23:D4:DF:E3:DD:F0:24:28:B3:C7:82:6C:53
SHA1: 3B:E5:B7:E1:1E:AD:60:2C:A4:F3:4D:0F:1D:6A:A0:1D:6E:DC:70:52
SHA256: 00:F4:A3:99:44:F1:BA:40:0C:9B:94:36:9D:09:1F:AB:B0:96:E7:BA:E8:99:A0:70:A6:52:24:E0:74:7B:FB:FD
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 44 5E 4E 7D FF 20 0A 3E 0E 31 D8 58 C0 9F 15 6B D^N.. .>.1.X...k
0010: 36 D7 27 11 6.'.
]
[EMAILADDRESS=mail@example.com, CN=ACME CA, OU=ACME CA, O=ACME, L=Dortmund, ST=NRW, C=DE]
SerialNumber: [ 01]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ED 84 96 6A 67 7B 1C 3C 02 9B 11 FB BF 75 34 8B ...jg..<.....u4.
0010: 5B FA F2 41 [..A
]
]
```
## Your Environment
- Graylog Version: Graylog 2.0.3 (f07c170), Oracle Corporation 1.8.0_101
- Operating System: CentOS 7 Linux 3.10.0-327.28.2.el7.x86_64
We have a problem with our setup getting it to work with https.
As soon as we configure this in the server.conf en enable tls the server isnt starting and the webpage isnt showed anymore.
When we uncomment the sections mentioning the tls / certificates it is working again.
SETUP:
Graylog 2.2.3 server with MongoDB running on Ubuntu 16.04 LTS.
Elasticsearch: 2.4.5, Ubuntu 16.04 LTS.
Network:
Graylog = 10.201.1.16
Elasticsearch = 10.201.1.21
CONFIG:
Graylog:
is_master = true
rest_listen_…
Single node setup running on Debian 9:
server.conf:
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = XXX
root_password_sha2 = XXX
plugin_dir = /usr/share/graylog-server/plugin
# I also tried the IP of the host
rest_listen_uri = https://127.0.0.1:9000/api/
rest_transport_uri = https://server.domain.com:9000/api/
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/cert/graylog-certificate.pem
rest_tls_key_file = /etc/graylog/server/cert/graylog-key.pem
rest_tls_key_password = XXX
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
# I also tried the IP of the host
web_listen_uri = https://127.0.0.1:9000/
web_endpoint_uri = https://server.domain.com/api/
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/cert/graylog-certificate.pem
web_tls_key_file = /etc/graylog/server/cert/graylog-key.pem
web_tls_key_password = XXX
Apache Konfig;
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName server.domain.com
ProxyRequests Off
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLProxyEngine on
SSLProxyProtocol all -SSLv3
SSLCertificateFile /etc/graylog/server/cert/graylog-certificate.pem
SSLCertificateKeyFile /etc/graylog/server/cert/graylog-key-plain.pem
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "https://server.domain.com/api/"
ProxyPass https://server.domain.com:9000/
ProxyPassReverse https://server.domain.com:9000/
</Location>
</VirtualHost>
</IfModule>
I hope anybody can help me.
Cheers
Alex
jochen
(Jochen)
October 19, 2017, 1:37pm
2
Looks like you’re using a format for the private key or the certificate not supported by Graylog.
If you’re using Apache httpd as a reverse proxy in front of Graylog, you don’t necessarily need to enable HTTPS in Graylog (if you can trust your internal network or if Apache httpd and Graylog run on the same machine).
al3x
October 19, 2017, 2:07pm
3
Hi Jochen,
First I tried a self signed certificate as described in the documentation -“Creating a self-signed private key/certificate”
(http://docs.graylog.org/en/2.3/pages/configuration/https.html )
Afterwards I issued a certificate from my internal Microsoft CA and followed the instructions “Converting a PKCS #12 (PFX) file to private key and certificate pair” ( http://docs.graylog.org/en/2.3/pages/configuration/https.html )
I get the same error in both cases.I think at least the self signed certificate should be in a format supported by graylog.
Ok, i updated my apache and graylog configuration. In my graylog server.conf everything runs on http.
I also changed ProxyPass and ProxyPassReverse to http in my apache config.
Now it works.
Thank you
system
(system)
Closed
November 2, 2017, 2:11pm
4
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.