Hi there,
After few days struggling with configure Graylog to use SSL communications I decided to write this post.
I try to setup SSL for my Graylog 4.1.5 on Ubuntu 20.4, everything works fine when I use self-signed certificate.
But if I try to use our commercial certificates the graylog shows error .
Graylog console via https works fine and certificate is valid but I can’t create any inputs. I get error in server.log
[ProxiedResource] Unable to call https://IP:9000/api/system/metrics/multiple on node <xxxxx>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
and error like below when try to open my single Node via admin console.
* etchError: There was an error fetching a resource: Internal Server Error. Additional information: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
* Check your Graylog logs for more information.
I read that can by problem of none CA imported to java keystore.
But when i list imported ca for keystore looks like everything is correct.
Keystore contain 1 entries
Certificate fingerprint is same as in cert.
My configuration of graylog
http_bind_address = 0.0.0.0:9000
http_enable_tls = true
http_tls_cert_file = /etc/ss/certs/graylog/cert.pem (path to my commercial certificate .pem file)
http_tls_key_file = /etc/ssl/certs/graylog/kem.pem (path to my key .pem file)
I will by very grateful for any suggestions.
Where I make mistakes. I searched internet to find documentation how to setup commercial certs in graylog but only find self-signed and lets’t encrypt implementation steps.
I might be able to help and I have run into this error multiply times.
Make sure Graylog can access the certificates specially for the INPUT’s. One easy way is to place the cert’s in the Graylog directory /etc/graylog.
chown graylog:graylog -R /some/path
If you have a custom keystore JVM needs to pick up the new trust store, it has to be started with the JVM parameter
'-Djavax.net.ssl.trustStore=/path/to/cacerts.jks`
Does your INPUT have the full path configured?
In my personal documentation I have this stated maybe it can help.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Make sure cetificates are on JAVA Trusted Store (keytool -importcert -keystore graylog-key.jks -storepass secret -alias graylog1.domain.com -file graylog-certificate.pem)
Copy JAVA cacerts file to custom java_keystore called graylog_keystore.jks. "cp -a $java_home/securtiy/cacerts /etc/pki/tls/certs/graylog/graylog_keystore.jks" add certs into graylog_keystore.jks
Side Notes:
Graylog server has a PTR record on the Domain Name Servers (DNS)
The Graylog /Host file Configured as ipaddress FQDN
The Graylog /hostname Configured as FQDN
Need the password to the keystore. Java default is "changeit’. Change the password and adjust it to match Graylog config. http_tls_key_password = secret
As you suggest I forgot to pick up the new trust store
I’ve made it by editing /ect/default/graylog-server
and edit
#Default Java options for help and garbage collection.
-Djavax.net.ssl.trustStore=/etc/sslcerts/graylog/graylog_keystore.jks -Djavax.net.ssl.trustStorePassword=changeit
