License Violation - Remote checks have failed too many times (when he manages to contact the license server)

paul_bnf · May 25, 2020, 1:39pm

Hi all,
I post a request for help on the forum because I spent a lot of time looking for the causes of the following error messages and all the manipulations I carried out did nothing to resolve it.

Here is my error message on the web interface:
License Violation - Remote checks have failed too many times (for an unknown reason)

Error message on the graylog logs:
License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 199, limit: 72

My server is on DMZ and has direct access to the internet (no proxy configured on this one), I use it to collect the dmz logs and forward to my graylog server in the lan.
I have no problem with my server in the lan, however the one in DMZ has lost its license for about 1 week (overnight without reason) because does not seem to contact the license server at Graylog.

Here is the information about my server:
Debian 10.3
ElasticSearch 6.8.8
Graylog 3.2.4
Java: Oracle JDK 11.0.7
MongoDB 4.2.5

I tried to verify that my server is contacting the Graylog license server, everything seems normal:

~# http GET http://api.graylog.com/releases/active
HTTP/1.1 301 Moved Permanently
Connection: close
Date: Mon, 25 May 2020 12:52:16 GMT
Location: https://api.graylog.com/releases/active
Server: Cowboy
Via: 1.1 vegur

~# curl -v https://api.graylog.com

Expire in 0 ms for 6 (transfer 0x56240f71ff50)
Expire in 1 ms for 1 (transfer 0x56240f71ff50)
Expire in 0 ms for 1 (transfer 0x56240f71ff50)
Expire in 2 ms for 1 (transfer 0x56240f71ff50)
Expire in 0 ms for 1 (transfer 0x56240f71ff50)
Expire in 0 ms for 1 (transfer 0x56240f71ff50)
Expire in 2 ms for 1 (transfer 0x56240f71ff50)
Expire in 0 ms for 1 (transfer 0x56240f71ff50)
Expire in 0 ms for 1 (transfer 0x56240f71ff50)
Expire in 2 ms for 1 (transfer 0x56240f71ff50)
Expire in 0 ms for 1 (transfer 0x56240f71ff50)
Expire in 1 ms for 1 (transfer 0x56240f71ff50)
Expire in 2 ms for 1 (transfer 0x56240f71ff50)
Expire in 1 ms for 1 (transfer 0x56240f71ff50)
Expire in 1 ms for 1 (transfer 0x56240f71ff50)
Expire in 4 ms for 1 (transfer 0x56240f71ff50)
Expire in 3 ms for 1 (transfer 0x56240f71ff50)
Expire in 3 ms for 1 (transfer 0x56240f71ff50)
Expire in 8 ms for 1 (transfer 0x56240f71ff50)
Expire in 8 ms for 1 (transfer 0x56240f71ff50)
Expire in 8 ms for 1 (transfer 0x56240f71ff50)
Expire in 16 ms for 1 (transfer 0x56240f71ff50)
Expire in 11 ms for 1 (transfer 0x56240f71ff50)
Expire in 11 ms for 1 (transfer 0x56240f71ff50)
Expire in 16 ms for 1 (transfer 0x56240f71ff50)
Expire in 11 ms for 1 (transfer 0x56240f71ff50)
Expire in 11 ms for 1 (transfer 0x56240f71ff50)
Expire in 16 ms for 1 (transfer 0x56240f71ff50)
Expire in 15 ms for 1 (transfer 0x56240f71ff50)
Expire in 15 ms for 1 (transfer 0x56240f71ff50)
Expire in 16 ms for 1 (transfer 0x56240f71ff50)
Expire in 16 ms for 1 (transfer 0x56240f71ff50)
Expire in 16 ms for 1 (transfer 0x56240f71ff50)
Expire in 32 ms for 1 (transfer 0x56240f71ff50)
Expire in 50 ms for 1 (transfer 0x56240f71ff50)
Expire in 50 ms for 1 (transfer 0x56240f71ff50)
Expire in 64 ms for 1 (transfer 0x56240f71ff50)
Expire in 50 ms for 1 (transfer 0x56240f71ff50)
Expire in 50 ms for 1 (transfer 0x56240f71ff50)
Expire in 64 ms for 1 (transfer 0x56240f71ff50)
Expire in 50 ms for 1 (transfer 0x56240f71ff50)
Expire in 50 ms for 1 (transfer 0x56240f71ff50)
Expire in 50 ms for 1 (transfer 0x56240f71ff50)
Trying 52.54.124.219…
TCP_NODELAY set
Expire in 149912 ms for 3 (transfer 0x56240f71ff50)
Expire in 200 ms for 4 (transfer 0x56240f71ff50)
Connected to api.graylog.com (52.54.124.219) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
ALPN, server accepted to use http/1.1
Server certificate:
subject: CN=*.graylog.com
start date: Apr 27 00:00:00 2020 GMT
expire date: May 27 23:59:59 2021 GMT
subjectAltName: host “api.graylog.com” matched cert’s “*.graylog.com”
issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
SSL certificate verify ok.

GET / HTTP/1.1
Host: api.graylog.com
User-Agent: curl/7.64.0
Accept: /

< HTTP/1.1 200 OK
< Server: Cowboy
< Connection: keep-alive
< Date: Mon, 25 May 2020 12:50:49 GMT
< Content-Type: text/plain
< Vary: Accept-Encoding
< Content-Length: 133
< Via: 1.1 vegur
<

Connection #0 to host api.graylog.com left intact
You have reached the Graylog, Inc API. Please contact Graylog support for assistance or visit https://www.graylog.org/ to learn more.

I do not understand where the problem can come from knowing that my server is able to contact the Graylog license server and that it has direct access to the internet.
I saw in the forums that it could come from a too old version of Java (where it could miss root certificates) but my java is in version 11.

Thank you in advance to the community for your precious help.
Best regards,
Paul

jan · May 25, 2020, 1:41pm

he @paul_bnf

did you have a custom jks for ssl certificates?

paul_bnf · May 26, 2020, 9:20am

Hi Jan,

Indeed, i use a custom JVM Keystore where i added my root CA certificate.
I followed this documentation: https://docs.graylog.org/en/3.2/pages/secure/sec_graylog_beats.html

Thank you for your help,
Paul.

jan · May 26, 2020, 11:56am

he @paul_bnf

Graylog is not able in that case to verify the certificate of the API - it could be that you have only your custom CA this jks and no other. This is most likely the reason that your Graylog is not able to verify the certificate and secure the connection between the Graylog Backoffice API and your Graylog server.

paul_bnf · May 26, 2020, 1:38pm

What do you suggest to solve it while keeping the encryption active on the inputs ? Add the CA certificate on the default store of the OS ?

jan · May 27, 2020, 6:24am

it really depends on your local rules @paul_bnf

you might just want to add your default custom CA to the OS default store and use that one or you want to add the CA we used to your custom jks … choose the action that fits your local rules.

paul_bnf · May 29, 2020, 8:02am

Indeed our jks store was badly created and was only containing the custom CA as you said. We recreated it and now it works.
Thank you very much Jan for your help and your patience.

Have a good day !
Paul.

system · June 12, 2020, 8:02am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remote checks have failed too many times Graylog Central (peer support)	10	2263	December 8, 2020
Yet Another License violation Graylog Central (peer support)	7	849	March 24, 2020
Graylog License Check Violation >72 Graylog Central (peer support)	10	1556	July 3, 2020
Failed to report license status Graylog Central (peer support)	4	825	July 23, 2018
License violation message Graylog Central (peer support)	6	3556	July 23, 2018

License Violation - Remote checks have failed too many times (when he manages to contact the license server)

Related topics