Need help - Adding a self-signed certificate to the JVM trust store


#1

Hello fellows,
I’m trying to install a centralized logging server and ran into graylog which offered everything I need. For now I installed the Virtual Appliance on a VMware-Infrastructure, configured OS-settings and wanted to install a self-signed certificate as described in the following article, so that the logs won’t be send in plain text and also to enable https: http://docs.graylog.org/en/2.2/pages/configuration/https.html
I generated an certificate and deployed it in the exported cacerts.jks under /etc/graylog/cert. The fingerprint was also identical when I verified the cacerts.jks file.
The problem I’m having is, that I don’t know how to go further. The article says that I have to start the JVM with the parameters for the new cacerts.jks path and also the new password for this trust store, but I can’t find any information on how to start the JVM. Maybe it’s because I didn’t read correctly or because I’m not so familiar with Linux.
I’d appreciate some help and maybe some tips for further deployment :slight_smile:

Thank you in advance!


(Jochen) #2

You might want to go back to that documentation and read it until the end.

In order for the JVM to pick up the new trust store, it has to be started with the JVM parameter […]

Also see http://docs.graylog.org/en/2.2/pages/configuration/file_location.html for the correct file(s) to edit.


#3

Hey jochen,

Thank you for your response. I’ve taken a look at the documentation again and noticed that I skipped a paragraph. I found the graylog configuration file, but noticed that following lines were missing (as described in the documentation)

  • web_enable_tls = true
  • web_tls_cert_file = /path/to/graylog-certificate.pem
  • web_tls_key_file = /path/to/graylog-key.pem
  • web_tls_key_password = secret

The API-lines were there though. I just added the missing lines with the correct paths and passwords, restarted all services, reconfigured graylog via graylog-ctl script, but somehow my self-signed certificate won’t apply. It is still the standard certificate provided in the OVA.

Is there another way, to apply my self-signed certificate? Am I missing something again?
I used another browser to be sure that it’s not cache related.

Thank you in advance!


(Jochen) #4

The virtual machine images (OVA) cannot be configured manually.

You’ll have to use the graylog-ctl utility to configure the VM. Manual changes will be overwritten.

See http://docs.graylog.org/en/2.2/pages/configuration/graylog_ctl.html#install-custom-ssl-certificates for the relevant documentation about using custom SSL certificates with the OVA.


#5

Thank you very much for your help, I figured it out. I had to convert my certificate and keyfile into the right format and then copy it in /opt/graylog/conf/nginx/ca . After that the nginx-service had just to be restartet with the graylog-ctl script.