Just another user struggling with HTTPS

Dear community,
We have a working graylog server but using only HTTP.
I want to reconfigure it for using HTTPS only.

Environnement :
Debian 11
Graylog 6.0.5
Certificates : using a wildcard with our FQDN, working for other servers, chain is good and using PEM format.

Steps done :

The user with PID (graylog) can read both paths and certificates :
/etc/ssl/certs/wildcard.our.fqdn.pem
/etc/ssl/private/wildcard.our.fqdn.key

Imported certificate into /usr/share/graylog-server/jvm/lib/security/cacerts with keytool and default password.

Then changed the server.conf :
http_publish_uri = httpS://graylog.our.fqdn:9000/
http_external_uri = httpS://graylog.our.fqdn:9000/
http_enable_tls = TRUE

no password is needed to open the key.

Error : com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/ssl/private/wildcard.our.fqdn.key

I’m probably missing a little something here, but i cannot nail it.

Thank for any hints.

Hi Motok,

An unaccessible key could be caused by wrong file permissions or wron ownership of the .key-file.

Check, if the key belongs to or is readable by the user in whose context you are starting your graylog-server.

NB: I personally would recommend to implement https-access with a reverse proxy.

Best,

Sven

Hi Motok
sounds like a file permission issue.

I followed the official guide which worked:
How-To Guide: Securing Graylog with TLS

Managed to find it, even if the permission was 644 on /etc/ssl/private/ folder, the user graylog could not read the private key.
I did used sudo runuser -u graylog cat /etc/ssl/private/wildcard.our.fqdn.key to find the problem.
Thank you all for helping, the topic can be closed.
P.S. I will prob now do as Sven suggested, move to an Nginx reverse proxy for better security.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.