New Graylog Server with HTTPS Unable To Create New Input


#1

Alright, after realizing that it was time to move off of the appliance I went ahead and spun up a new Graylog on Ubuntu 16.04.

I have gotten the basic system up and running and have imported my wildcard certificate for my organization into the rest and web URL’s.

When I create new inputs they immediately fail and so look at my logs I see the following message.

2017-09-06T14:44:48.591-04:00 WARN  [ProxiedResource] Unable to call https://10.0.1.245:9000/api/system/inputstates on node <46491563-6a75-453c-b5a6-452ec3904b2d>
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Looking at this error I see Jochen has previously mentioned that you need to import your SSL certs into your Java store for this whole system to work properly.

I am attempting to follow these instructions but I find that the following location does not exist on my system. When I use the change directory to $JAVA_HOME it just takes me to /home/usr/.

$JAVA_HOME/jre/lib/security/cacerts

http://docs.graylog.org/en/2.1/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store

What am I missing?


#2

Alright I got everything input, it appears that open JRE changed some locations.

Last step, now I am getting the following error.

2017-09-06T15:34:53.152-04:00 WARN [ProxiedResource] Unable to call https://10.0.1.245:9000/api/system/inputstates on node <46491563-6a75-453c-b5a6-452ec3904b2d>
javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.0.1.245 not verified:


(Jochen) #3

Have you been following the latest instructions to create your self-signed certificates?

Make sure that they contain the IP address in the subjectAltName part of the certificates as described at http://docs.graylog.org/en/2.3/pages/configuration/https.html#creating-a-self-signed-private-key-certificate


#4

Jochen, this works fine with a self signed cert. I am going to assume my wildcard for my organization won’t work because it doesn’t have the IP address in it. I created a self signed followed the instructions and voila it worked.

Is it possible to use the self signed cert in on the backend and my wildcard cert on the web interface or will that cause problems?


(Jochen) #5

The IP addresses have to be explicitly listed in the subjectAltName field of the certificates.

A wildcard in subjectAltName or Common Name (CN) only includes host names matching the wildcard.


#6

I understand that now, my question is, can I use my self-signed for the backend processes and just use my wild card for the web interface or do my certs need to match?

Also FYI the documentation for creating a self signed cert no longer works for this step.

$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016
$ openssl req -x509 -days 365 -nodes -newkey -config openssl-graylog.cnf rsa:2048 -keyout pkcs5-plain.pem -out cert.pem
Generating a 2048 bit RSA private key
............................+++
.+++
writing new private key to 'pkcs5-plain.pem'
-----

In order to make it work I needed to reorder like so.

$ openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout pkcs5-plain.pem -out cert.pem  -config openssl-graylog.cnf

If you don’t do this it complains that the command is invalid.


(Jochen) #7

You can use self-signed certificates in the backend (rest_tls_* settings) and use other certificates for the Graylog web interface (web_tls_* settings).

Thanks for mentioning this!
There is an error in the documentation which we’ll fix as soon as possible:
https://github.com/Graylog2/documentation/pull/362


#8

Perfect! Thanks for that information i’ll update my system to use both certs.

Glad I could help with documentation, as I get more familiar with Graylog I am hoping to help start updating documentation more.


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.