Lookuptable error without call to API

1. Describe your incident:
Requesting the MISP API Server (locally on my server) by a lookuptable with json dataadapter replys an error but it works when calling by postman. With postman I see the call is being made when looking with tcpdump. When I do the call with graylog, no call is being made and shown with tcpdump. Althogh the call is made with tcp, I see an error regarding certificates in graylog debug log (see below).

2. Describe your environment:

  • OS Information: Ubuntu 20.04
  • Package Version:

Hostname:
xxxx
Node ID:
3e187d19-3d50-4a23-8018-d5a917937e87
Version:
4.3.7+05bccc7, codename Noir
JVM:
PID 1781, Private Build 1.8.0_342 on Linux 5.15.0-50-generic
Time:

→ as new user, I cannot upload a second screen to proof the REST call worked by postman

2022-10-15T16:05:57.718+02:00 DEBUG [MongoDbAuthorizationRealm] Authorization info for grn::::user:local:admin - permissions: [org.apache.shiro.authz.permission.AllPermission@42fb3ef5]
2022-10-15T16:05:57.718+02:00 DEBUG [MongoDbAuthorizationRealm] Authorization info for grn::::user:local:admin - roles: [6329ba366b25664bc0279904]
2022-10-15T16:05:57.730+02:00 ERROR [HTTPJSONPathDataAdapter] HTTP request error for key <2e892b726af9c7088abe86a2452fd5d29a1fdf8be722b1e8b1ccde601f8c34b6>
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_342]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) ~[?:1.8.0_342]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:1.8.0_342]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) ~[?:1.8.0_342]
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:1.8.0_342]
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_342]
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_342]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_342]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_342]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_342]
	at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_342]
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_342]
	at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397) ~[?:1.8.0_342]
	at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305) ~[?:1.8.0_342]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[?:1.8.0_342]
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336) ~[graylog.jar:?]
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300) ~[graylog.jar:?]
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185) ~[graylog.jar:?]
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224) ~[graylog.jar:?]
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108) ~[graylog.jar:?]
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88) ~[graylog.jar:?]
	at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169) ~[graylog.jar:?]
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229) ~[graylog.jar:?]
	at okhttp3.RealCall.execute(RealCall.java:81) ~[graylog.jar:?]
	at org.graylog2.lookup.adapters.HTTPJSONPathDataAdapter.doGet(HTTPJSONPathDataAdapter.java:188) ~[graylog.jar:?]
	at org.graylog2.plugin.lookup.LookupDataAdapter.get(LookupDataAdapter.java:143) ~[graylog.jar:?]
	at org.graylog2.rest.resources.system.lookup.LookupTableResource.performAdapterLookup(LookupTableResource.java:536) ~[graylog.jar:?]
	at sun.reflect.GeneratedMethodAccessor651.invoke(Unknown Source) ~[?:?]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_342]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_342]
	at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) [graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) [graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) [graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) [graylog.jar:?]
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) [graylog.jar:?]
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) [graylog.jar:?]
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) [graylog.jar:?]
	at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
	at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
	at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) [graylog.jar:?]
	at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
	at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_342]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_342]
	at java.lang.Thread.run(Thread.java:750) [?:1.8.0_342]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456) ~[?:1.8.0_342]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323) ~[?:1.8.0_342]
	at sun.security.validator.Validator.validate(Validator.java:271) ~[?:1.8.0_342]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315) ~[?:1.8.0_342]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223) ~[?:1.8.0_342]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:1.8.0_342]
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_342]
	... 59 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_342]
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_342]
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_342]
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451) ~[?:1.8.0_342]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323) ~[?:1.8.0_342]
	at sun.security.validator.Validator.validate(Validator.java:271) ~[?:1.8.0_342]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315) ~[?:1.8.0_342]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223) ~[?:1.8.0_342]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[?:1.8.0_342]
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_342]
	... 59 more
2022-10-15T16:05:57.731+02:00 DEBUG [accesslog] 172.16.188.79 local:admin [-] "GET api/system/lookup/adapters/misp2/query?key=2e892b726af9c7088abe86a2452fd5d29a1fdf8be722b1e8b1ccde601f8c34b6" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 200 -1
2022-10-15T16:05:57.839+02:00 DEBUG [UserServiceImpl] User local:admin is the built-in admin user
2022-10-15T16:05:57.839+02:00 DEBUG [SessionAuthenticator] Found session for userId local:admin
2022-10-15T16:05:57.839+02:00 DEBUG [SessionAuthenticator] Not extending session because the request indicated not to.
2022-10-15T16:05:57.839+02:00 DEBUG [accesslog] 172.16.188.79 local:admin [-] "GET api/system/cluster/nodes" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 200 -1
2022-10-15T16:05:58.139+02:00 DEBUG [UserServiceImpl] User local:admin is the built-in admin user
2022-10-15T16:05:58.139+02:00 DEBUG [SessionAuthenticator] Found session for userId local:admin
2022-10-15T16:05:58.139+02:00 DEBUG [SessionAuthenticator] Not extending session because the request indicated not to.
2022-10-15T16:05:58.140+02:00 DEBUG [MongoDbAuthorizationRealm] Retrieving authorization information for: local:admin
2022-10-15T16:05:58.140+02:00 DEBUG [MongoDbAuthorizationRealm] GRN principal: grn::::user:local:admin
2022-10-15T16:05:58.140+02:00 DEBUG [UserServiceImpl] User local:admin is the built-in admin user

3. What steps have you already taken to try and solve the problem?

  • debug log enabled
  • tested api call to misp with postman => works
  • tested call with graylog dataadapter => doesn’t work, serves error
  • tested call with http and https => cert error with both (also with http plain text)
  • traced all this with tcpdump: only a call is made by postman, but not with graylog

4. How can the community help?

  • could you explain me the error in the log regarding certificate? i tried with HTTP. there should not be a cert. problem.

Hello @coldflame-js

Sorry I must have over looked this post. Hope you don’t mind I fix your logs so its readable.
Judging from the logs post you have a certificate problem.

ERROR [HTTPJSONPathDataAdapter] HTTP request error for key <2e892b726af9c7088abe86a2452fd5d29a1fdf8be722b1e8b1ccde601f8c34b6>
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The part where it states “unable to find valid certification path to requested target” Make sure the certificate && Keystore are accessible to Graylog.

Depending on how you set up TCP/TLS here are a couple simple examples.

Add Certificate to keystore using cacerts.

keytool -import -trustcacerts -file graylog-certificate.pem -alias graylog.domain.com -keystore cacerts

Graylog has access to certificates used on inputs, etc… I used Graylog Directory for testing because Graylog owns its directory. I also don’t advise chmod 755 on the certificates, I did that to make it easier to see.

image

EDIT:

Not sure all what you have configured, either on Graylog or Remote device, but something is asking for Cert’s and Graylog cannot find it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.