Letsencrypt + Graylog TLS setup error

nshah14285 · December 20, 2017, 6:38am

Getting below error when try to enable rest_enable_tls = true and web_enable_tls = true.

Private key file exists at /etc/letsencrypt/live/domain.com/privkey.pem

2017-12-20T07:00:56.621+01:00 ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing REST API private key: /etc/letsencrypt/live/domain.com/privkey.pem
	at org.graylog2.plugin.BaseConfiguration.validateRestTlsConfig(BaseConfiguration.java:456) ~[graylog.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_151]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_151]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151]
	at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:100) ~[graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:351) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.readConfiguration(CmdLineTool.java:344) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:177) [graylog.jar:?]
	at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]

jan · December 20, 2017, 8:24am

The following part of the logfile, let me think that Graylog is not able to access the key or it is not in the correct format.

Unreadable or missing REST API private key: /etc/letsencrypt/live/domain.com/privkey.pem

Please check if the Key is in a supported format: http://docs.graylog.org/en/2.3/pages/configuration/https.html#certificate-key-file-format

nshah14285 · December 22, 2017, 9:23am

Error is gone after copying letsencrypt privkey.pem to /etc/graylog folder which is strange.

Another error occur is when I ran command ‘keytool -list -v -keystore keystore.jks -alias domain.com’
" keytool error: java.lang.Exception: Keystore file does not exist: keystore.jks
java.lang.Exception: Keystore file does not exist: keystore.jks
at sun.security.tools.keytool.Main.doCommands(Main.java:783)
at sun.security.tools.keytool.Main.run(Main.java:366)
at sun.security.tools.keytool.Main.main(Main.java:359)
"

From where can I get the file keystore.jks, even I search on server but didn’t get any file.

Any help will be appreciated.

:Nishit

nshah14285 · December 22, 2017, 10:07am

I was able to create keystore.jks file using this link https://github.com/Graylog2/graylog2-server/issues/1931

jan · December 22, 2017, 10:11am

Maybe just read the documetation would had helped too

http://docs.graylog.org/en/2.3/pages/configuration/https.html

nshah14285 · December 22, 2017, 10:26am

Able to successfully setup SSL and TLS.

Need your suggestion for SSL and TLS setup for graylog.

I have used letsencrypt SSL at nGinx level, so browser will always detect letsencrypt SSL which is more secure than self signed SSL and at graylog level I have created a self signed certificate based on the link you have provided.

I hope this will not create any problem in communication.

Thanks,
Nishit

system · January 5, 2018, 10:26am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.