License error, imput error in ssl/tls configuration... What?

Graylog Central (peer support)
, ,
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I have this errors

image
image1914×935 378 KB

2. Describe your environment:

  • OS Information:debian 11

  • Package Version: 4.310

  • Service logs, configurations, and environment variables: I am trying to make a SSL/TLS configuration with certs, keys etc

3. What steps have you already taken to try and solve the problem?
First I make the installation of server in http mode after that I did the ssl / tls installation but I have not could make that it works… Oh my god!

4. How can the community help?
is the ssl/tls configuration possible in opensource?
Thanks a lot to Marvin, Gsmith, and others that sure I am forgeting.
Please help me… Have a nice weekend.

If you need any data please tell me please.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Yes I have pluging Enterprise, sorry…

image
image1914×477 46.2 KB

I am going to put it with enterprise serial… To be continnued.

thanks to all…

3

Hey @jgutie45

Yes, this would depened how yo set it up, And need to understand how the certificates work with Graylog. This helped me understand what is need, but I used JAVA default keystore instead on creating one, it was easier for me.

4

I still suffer from ssl and tls…

I have no more ideas.

5

Hey

What does your logs show?

Perhap all these may help

6

Hello again Ms Gsmith

this my errors in /var/log/graylog/server.log

Uploading: image.png…
Uploading: image.png(1)…

My openssl version is 1.1.1n

Can I make certs with this version to use with graylog in TLS encrypted transmision?

best regards.

7

Hello

Im sorry but that does not help.

image
image1237×558 28.1 KB

8

Sorry Gsmith I am doing one thousand things in the same time and an error is more than possible.
this the correct image.

image
image1353×212 45.3 KB

I have installed the enterprise edidition with 2GB limit… Keep going fighting.

Best regards and sorry again.

I am going to make the certs in another machine with this procedure, sorry it is in spanish
What is your opinion?
crear estructura de directorios

mkdir -p ca/{certs, crl, csr,newcerts, private}

certs–>almacena los certificados o claves publicas
crl–>lista de revocacion de certificados
csr–>solicitudes de firma de certificados
newcerts–>almacenar los certificados que emite la CA
private–> almacenar las llaves privadas

copiar el archivo openssl.cnf

cp /etc/pki/tls/openssl.cnf /ca

crear un index.txt que es como una bbdd de la autoridad certificadora

touch index.txt

creamos el archivo serial dentro de la carpeta CA

echo ‘01’ > serial

EDITAR EL ARCHIVO OPENSSL.CNF
linea 42
/ca
linea 81
policy_anything

CREAMOS EL CERTIFICADO PUBLICO PARA LA AUTORIDAD DE CERTIFICACIÓN Y LA LLAVE PRIVADA ASOCIADA

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout /ca/private/privadaCA.key -out /ca/certs/certificadoCA.crt

te pide “Enter PEM pass phrase”… secret. Aunque debería de ser más robusta.
rellenamos los datos que nos pide.

Generar la llave privada para el cliente.

openssl genrsa -aes128 -out /ca/private/privadacliente1.key 1024
nos pide que le pongamos una contraseña… secret.

Generar una solicitud de firma por parte del cliente servidor.

openssl req -new -key /ca/private/privadacliente1.key -out /ca/csr/solicitudcliente1.csr -config /ca/openssl.cnf
nos pregunta la clave privada de privadacliente1.key que pusimos secret
nos pide el pais, el estado, la ciudad, organizacion, organizacion nombre, nombre del hosting y el email
nos pide un challange password lo dejamos en blanco y un nombre de compañía opcional que tambien dejamos en blanco.

FIRMAMOS LA SOLICITUD GENERADA POR EL USUARIO ANGEL

openssl ca -in /ca/csr/solicitudcliente1.csr -out /ca/newcerts/certificadocliente1.crt -cert /ca/certs/certificadoCA.crt -keyfile /ca/private/privadaCA.key -config /ca/openssl.cnf

pide la contraeña de la llave privada de la CA: secret

nos hace dos preguntas y a las dos Y

nos avisa que la BBDD ha sido actualizada.

nos crea un 01.pem dentro de /ca/newcerts/ con el comando anterior.

CONVERTIR UN ARCHIVO PEM Y LA CLAVE PRIVADA A UN ARCHIVO PFX

openssl pkcs12 -export -out /ca/newcerts/cliente1.pfx -inkey /ca/private/privadacliente1.key -in /ca/newcerts/certificadocliente1.crt

b

9

Hey

I have two options.

  1. Please dont not post other languages and expect the members here to read spanish, most if not all from around the world do not read spanish.

  2. When posting in the forum please read this post.

Translated into Spainish for your benefit

engo dos opciones

  1. Por favor, no publique otros idiomas y espere que los miembros aquí lean español, la mayoría, si no todos, de todo el mundo no leen español.

  2. Cuando publique en el foro, lea esto por correo electrónico.

Thank you

10

Ok but click the right botton and choose translate and you put the text in the language you want, it is very simple and better than prohibit anything but ok, only english?, ok only english.

this is what I did but do not work…

I’m going to make the certificates on another machine with this procedure, sorry it’s in Spanish
What is your opinion?
create directory structure

mkdir -p ca/{certs, crl, csr, newcerts, private}

certs –> stores the certificates or public keys
crl–>certificate revocation list csr–>certificate signing requests newcerts–>store certificates

that emits the AC
private –> store private keys

copy the openssl.cnf file

cp /etc/pki/tls/openssl.cnf /ca

create an index.txt that is like a database of the certification authority

Touch Index.txt

we create the serial file inside the CA folder

Echo ‘01’ > series

EDIT THE OPENSSL FILE. CNF
line 42
/AC
line 81
policy_anything

WE CREATE THE PUBLIC CERTIFICATE FOR THE CERTIFICATION AUTHORITY AND THE ASSOCIATED PRIVATE KEY

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout /ca/private/privadaCA.key -out /ca/certs/certificadoCA.crt

It asks you to “Enter PEM pass phrase”… secret. Although it should be more robust.
We fill in the information requested.

Generate the private key for the client.

openssl genrsa -aes128 -out /ca/private/privateclient1.key 1024
asks us to put a password… secret.

Generate a signature request by the server client.

openssl req -new -key /ca/private/customerprivate1.key -out /ca/csr/customerrequest1.csr -config /ca/openssl.cnf
It asks us for the private key of privadacliente1.key that we put secret
It asks us for the country, state, city, organization, organization name, hosting name and email
It asks us for a challenge password, we leave it blank and an optional company name that we also leave blank.

WE SIGN THE REQUEST GENERATED BY USER ANGEL

openssl ca -in /ca/csr/clientrequest1.csr -out /ca/newcerts/clientcert1.crt -cert /ca/certs/CAcertificate.crt -keyfile /ca/private/privateCA.key -config /ca/openssl.cnf

asks for the password of the private key of the CA: secret

He asks us two questions and both of them AND

notifies us that the database has been updated.

We create a 01.pem inside /ca/newcerts/ with the above command.

CONVERT A PEM FILE AND PRIVATE KEY TO A PFX FILE

openssl pkcs12 -export -out /ca/newcerts/client1.pfx -inkey /ca/private/privateclient1.key -in /ca/newcerts/clientcert1.crt

the graylog manual says that you put the graylog-certificate.pem and graylog-key.pem in the client and it works, and I did that and doesn´t work.
the second choice is make a graylog-certificate.pem and graylog-key to the server and client.crt and client.key to the client but the graylog manual doesn´t say how to do it, so… I have the server in HTTPS mode but I can´t receive inputs from any client.

thanks a lot and sorry to speak in spanish.

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.