After few days struggling with configure Graylog to use SSL communications I decided to write this post.
I try to setup SSL for my Graylog 4.1.5 on Ubuntu 20.4, everything works fine when I use self-signed certificate.
But if I try to use our commercial certificates the graylog shows error .
Graylog console via https works fine and certificate is valid but I can’t create any inputs. I get error in server.log
[ProxiedResource] Unable to call https://IP:9000/api/system/metrics/multiple on node <xxxxx>: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
and error like below when try to open my single Node via admin console.
* etchError: There was an error fetching a resource: Internal Server Error. Additional information: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target * Check your Graylog logs for more information.
I read that can by problem of none CA imported to java keystore.
But when i list imported ca for keystore looks like everything is correct.
keytool -list -keystore "/etc/ssl/certs/graylog/cacerts.jks"
Keystore contain 1 entries
Certificate fingerprint is same as in cert.
My configuration of graylog
http_bind_address = 0.0.0.0:9000
http_enable_tls = true
http_tls_cert_file = /etc/ss/certs/graylog/cert.pem (path to my commercial certificate .pem file)
http_tls_key_file = /etc/ssl/certs/graylog/kem.pem (path to my key .pem file)
I will by very grateful for any suggestions.
Where I make mistakes. I searched internet to find documentation how to setup commercial certs in graylog but only find self-signed and lets’t encrypt implementation steps.