JOIN GRAYLOG FOR OUR

ANNUAL CONFERENCE

Thursday,
October 21, 2021
10am-5pm CT
REGISTER NOW

Need help with setup commercial certificate in Graylog 4.1.x

Hi there,
After few days struggling with configure Graylog to use SSL communications I decided to write this post.

I try to setup SSL for my Graylog 4.1.5 on Ubuntu 20.4, everything works fine when I use self-signed certificate.

But if I try to use our commercial certificates the graylog shows error .

Graylog console via https works fine and certificate is valid but I can’t create any inputs. I get error in server.log

[ProxiedResource] Unable to call https://IP:9000/api/system/metrics/multiple on node <xxxxx>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

and error like below when try to open my single Node via admin console.

* etchError: There was an error fetching a resource: Internal Server Error. Additional information: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
* Check your Graylog logs for more information.

I read that can by problem of none CA imported to java keystore.
But when i list imported ca for keystore looks like everything is correct.

keytool -list -keystore "/etc/ssl/certs/graylog/cacerts.jks"

Keystore contain 1 entries
Certificate fingerprint is same as in cert.

My configuration of graylog
http_bind_address = 0.0.0.0:9000
http_enable_tls = true
http_tls_cert_file = /etc/ss/certs/graylog/cert.pem (path to my commercial certificate .pem file)
http_tls_key_file = /etc/ssl/certs/graylog/kem.pem (path to my key .pem file)

I will by very grateful for any suggestions.
Where I make mistakes. I searched internet to find documentation how to setup commercial certs in graylog but only find self-signed and lets’t encrypt implementation steps.

Hello && Welcome

I might be able to help and I have run into this error multiply times.

Make sure Graylog can access the certificates specially for the INPUT’s. One easy way is to place the cert’s in the Graylog directory /etc/graylog.

chown graylog:graylog -R /some/path

If you have a custom keystore JVM needs to pick up the new trust store, it has to be started with the JVM parameter

'-Djavax.net.ssl.trustStore=/path/to/cacerts.jks`

Does your INPUT have the full path configured?

In my personal documentation I have this stated maybe it can help.

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Make sure cetificates are on JAVA  Trusted Store (keytool -importcert -keystore graylog-key.jks -storepass secret -alias graylog1.domain.com -file graylog-certificate.pem)
 Copy JAVA cacerts file to custom java_keystore called graylog_keystore.jks. "cp -a $java_home/securtiy/cacerts  /etc/pki/tls/certs/graylog/graylog_keystore.jks" add certs into graylog_keystore.jks

Side Notes:

  • Graylog server has a PTR record on the Domain Name Servers (DNS)
  • The Graylog /Host file Configured as ipaddress FQDN
  • The Graylog /hostname Configured as FQDN
  • Need the password to the keystore. Java default is "changeit’. Change the password and adjust it to match Graylog config. http_tls_key_password = secret
  • Graylog has access to the Keystore

EDIT: Here is one of my lab config’s.

http_bind_address = graylog.domain.com:9000
http_publish_uri = https://graylog.domain.com:9000/
http_enable_cors = true
http_enable_tls = true
http_tls_cert_file = /etc/pki/tls/certs/graylog/graylog-certificate.pem
http_tls_key_file = /etc/pki/tls/certs/graylog/graylog-key.pem
http_tls_key_password = secret

I hope this helps

Thanks for help.

Directory with certs has 777 privilages, also check to move certs and key with your suggestion to /etc/graylog but nothing changed.

If you have a custom keystore JVM needs to pick up the new trust store, it has to be started with the JVM parameter

'-Djavax.net.ssl.trustStore=/path/to/cacerts.jks`

I think I need more details how to pick up this trust store

I create new keystore following by this steps

sudo keytool -importcert -keystore /etc/ssl/certs/graylog/graylog_keystore.jks -storepass MyPASS -alias graylog.mydomain.net -file /etc/ssl/certs/graylog/cert.pem
next
sudo cp -a "$JAVA_HOME/jre/lib/security/cacerts" /etc/ssl/certs/graylog/graylog_keystore.jks

Paths to certs and key files in graylog.conf are full and correct

Finally it is work.

As you suggest I forgot to pick up the new trust store
I’ve made it by editing /ect/default/graylog-server
and edit

#Default Java options for help and garbage collection.
-Djavax.net.ssl.trustStore=/etc/sslcerts/graylog/graylog_keystore.jks -Djavax.net.ssl.trustStorePassword=changeit

Thank you for you help.

1 Like

@tomputer
Nice, glad It worked.

1 Like