Just another user struggling with HTTPS

Dear community,
We have a working graylog server but using only HTTP.
I want to reconfigure it for using HTTPS only.

Environnement :
Debian 11
Graylog 6.0.5
Certificates : using a wildcard with our FQDN, working for other servers, chain is good and using PEM format.

Steps done :

The user with PID (graylog) can read both paths and certificates :
/etc/ssl/certs/wildcard.our.fqdn.pem
/etc/ssl/private/wildcard.our.fqdn.key

Imported certificate into /usr/share/graylog-server/jvm/lib/security/cacerts with keytool and default password.

Then changed the server.conf :
http_publish_uri = httpS://graylog.our.fqdn:9000/
http_external_uri = httpS://graylog.our.fqdn:9000/
http_enable_tls = TRUE

no password is needed to open the key.


Error : com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/ssl/private/wildcard.our.fqdn.key

I’m probably missing a little something here, but i cannot nail it.

Thank for any hints.

Hi Motok,

An unaccessible key could be caused by wrong file permissions or wron ownership of the .key-file.

Check, if the key belongs to or is readable by the user in whose context you are starting your graylog-server.

NB: I personally would recommend to implement https-access with a reverse proxy.

Best,

Sven

Hi Motok
sounds like a file permission issue.

I followed the official guide which worked:
How-To Guide: Securing Graylog with TLS

Managed to find it, even if the permission was 644 on /etc/ssl/private/ folder, the user graylog could not read the private key.
I did used sudo runuser -u graylog cat /etc/ssl/private/wildcard.our.fqdn.key to find the problem.
Thank you all for helping, the topic can be closed.
P.S. I will prob now do as Sven suggested, move to an Nginx reverse proxy for better security.