JerseyService won't start after enabling https


#1

Hi,
I have a problem setting up graylog with https. After enabling https in the server.conf the JerseyService won’t start.
Error message:

ERROR [ServiceManager] Service JerseyService [FAILED] has failed in the STARTING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)

I strictly followed the graylog documentation
http://docs.graylog.org/en/2.3/pages/configuration/https.html
http://docs.graylog.org/en/2.3/pages/configuration/web_interface.html#configuring-webif-nginx

When I disable https in the server.conf everything works fine.

I already checked some of the following articles, but with no success:



https://github.com/Graylog2/graylog2-server/issues/2752

Single node setup running on Debian 9:
server.conf:

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = XXX
root_password_sha2 = XXX
plugin_dir = /usr/share/graylog-server/plugin    
# I also tried the IP of the host
rest_listen_uri = https://127.0.0.1:9000/api/ 
rest_transport_uri = https://server.domain.com:9000/api/
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/cert/graylog-certificate.pem
rest_tls_key_file = /etc/graylog/server/cert/graylog-key.pem
rest_tls_key_password = XXX
trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
# I also tried the IP of the host
web_listen_uri = https://127.0.0.1:9000/
web_endpoint_uri = https://server.domain.com/api/
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/cert/graylog-certificate.pem
web_tls_key_file = /etc/graylog/server/cert/graylog-key.pem
web_tls_key_password = XXX

Apache Konfig;

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerName server.domain.com
    ProxyRequests Off

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLProxyEngine on
    SSLProxyProtocol all -SSLv3
    SSLCertificateFile    /etc/graylog/server/cert/graylog-certificate.pem
    SSLCertificateKeyFile /etc/graylog/server/cert/graylog-key-plain.pem

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location />
        RequestHeader set X-Graylog-Server-URL "https://server.domain.com/api/"
        ProxyPass https://server.domain.com:9000/
        ProxyPassReverse https://server.domain.com:9000/
    </Location>
  </VirtualHost>
</IfModule>

I hope anybody can help me.

Cheers
Alex


(Jochen) #2

Looks like you’re using a format for the private key or the certificate not supported by Graylog.

If you’re using Apache httpd as a reverse proxy in front of Graylog, you don’t necessarily need to enable HTTPS in Graylog (if you can trust your internal network or if Apache httpd and Graylog run on the same machine).


#3

Hi Jochen,

First I tried a self signed certificate as described in the documentation -“Creating a self-signed private key/certificate”
(http://docs.graylog.org/en/2.3/pages/configuration/https.html)

Afterwards I issued a certificate from my internal Microsoft CA and followed the instructions “Converting a PKCS #12 (PFX) file to private key and certificate pair” ( http://docs.graylog.org/en/2.3/pages/configuration/https.html)

I get the same error in both cases.I think at least the self signed certificate should be in a format supported by graylog.

Ok, i updated my apache and graylog configuration. In my graylog server.conf everything runs on http.
I also changed ProxyPass and ProxyPassReverse to http in my apache config.

Now it works.

Thank you


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.