1. Describe your incident:
Requesting the MISP API Server (locally on my server) by a lookuptable with json dataadapter replys an error but it works when calling by postman. With postman I see the call is being made when looking with tcpdump. When I do the call with graylog, no call is being made and shown with tcpdump. Althogh the call is made with tcp, I see an error regarding certificates in graylog debug log (see below).
2. Describe your environment:
- OS Information: Ubuntu 20.04
- Package Version:
Hostname:
xxxx
Node ID:
3e187d19-3d50-4a23-8018-d5a917937e87
Version:
4.3.7+05bccc7, codename Noir
JVM:
PID 1781, Private Build 1.8.0_342 on Linux 5.15.0-50-generic
Time:
- Service logs, configurations, and environment variables:
→ as new user, I cannot upload a second screen to proof the REST call worked by postman
2022-10-15T16:05:57.718+02:00 DEBUG [MongoDbAuthorizationRealm] Authorization info for grn::::user:local:admin - permissions: [org.apache.shiro.authz.permission.AllPermission@42fb3ef5]
2022-10-15T16:05:57.718+02:00 DEBUG [MongoDbAuthorizationRealm] Authorization info for grn::::user:local:admin - roles: [6329ba366b25664bc0279904]
2022-10-15T16:05:57.730+02:00 ERROR [HTTPJSONPathDataAdapter] HTTP request error for key <2e892b726af9c7088abe86a2452fd5d29a1fdf8be722b1e8b1ccde601f8c34b6>
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_342]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) ~[?:1.8.0_342]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:1.8.0_342]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) ~[?:1.8.0_342]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:1.8.0_342]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_342]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_342]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_342]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_342]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_342]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_342]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_342]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397) ~[?:1.8.0_342]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305) ~[?:1.8.0_342]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[?:1.8.0_342]
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336) ~[graylog.jar:?]
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300) ~[graylog.jar:?]
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185) ~[graylog.jar:?]
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224) ~[graylog.jar:?]
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108) ~[graylog.jar:?]
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88) ~[graylog.jar:?]
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169) ~[graylog.jar:?]
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229) ~[graylog.jar:?]
at okhttp3.RealCall.execute(RealCall.java:81) ~[graylog.jar:?]
at org.graylog2.lookup.adapters.HTTPJSONPathDataAdapter.doGet(HTTPJSONPathDataAdapter.java:188) ~[graylog.jar:?]
at org.graylog2.plugin.lookup.LookupDataAdapter.get(LookupDataAdapter.java:143) ~[graylog.jar:?]
at org.graylog2.rest.resources.system.lookup.LookupTableResource.performAdapterLookup(LookupTableResource.java:536) ~[graylog.jar:?]
at sun.reflect.GeneratedMethodAccessor651.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_342]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_342]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_342]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_342]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_342]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456) ~[?:1.8.0_342]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323) ~[?:1.8.0_342]
at sun.security.validator.Validator.validate(Validator.java:271) ~[?:1.8.0_342]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315) ~[?:1.8.0_342]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223) ~[?:1.8.0_342]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:1.8.0_342]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_342]
... 59 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_342]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_342]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_342]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451) ~[?:1.8.0_342]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323) ~[?:1.8.0_342]
at sun.security.validator.Validator.validate(Validator.java:271) ~[?:1.8.0_342]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315) ~[?:1.8.0_342]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223) ~[?:1.8.0_342]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:1.8.0_342]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_342]
... 59 more
2022-10-15T16:05:57.731+02:00 DEBUG [accesslog] 172.16.188.79 local:admin [-] "GET api/system/lookup/adapters/misp2/query?key=2e892b726af9c7088abe86a2452fd5d29a1fdf8be722b1e8b1ccde601f8c34b6" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 200 -1
2022-10-15T16:05:57.839+02:00 DEBUG [UserServiceImpl] User local:admin is the built-in admin user
2022-10-15T16:05:57.839+02:00 DEBUG [SessionAuthenticator] Found session for userId local:admin
2022-10-15T16:05:57.839+02:00 DEBUG [SessionAuthenticator] Not extending session because the request indicated not to.
2022-10-15T16:05:57.839+02:00 DEBUG [accesslog] 172.16.188.79 local:admin [-] "GET api/system/cluster/nodes" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 200 -1
2022-10-15T16:05:58.139+02:00 DEBUG [UserServiceImpl] User local:admin is the built-in admin user
2022-10-15T16:05:58.139+02:00 DEBUG [SessionAuthenticator] Found session for userId local:admin
2022-10-15T16:05:58.139+02:00 DEBUG [SessionAuthenticator] Not extending session because the request indicated not to.
2022-10-15T16:05:58.140+02:00 DEBUG [MongoDbAuthorizationRealm] Retrieving authorization information for: local:admin
2022-10-15T16:05:58.140+02:00 DEBUG [MongoDbAuthorizationRealm] GRN principal: grn::::user:local:admin
2022-10-15T16:05:58.140+02:00 DEBUG [UserServiceImpl] User local:admin is the built-in admin user
3. What steps have you already taken to try and solve the problem?
- debug log enabled
- tested api call to misp with postman => works
- tested call with graylog dataadapter => doesn’t work, serves error
- tested call with http and https => cert error with both (also with http plain text)
- traced all this with tcpdump: only a call is made by postman, but not with graylog
4. How can the community help?
- could you explain me the error in the log regarding certificate? i tried with HTTP. there should not be a cert. problem.