Node not working after enablind HTTPS

Graylog Central (peer support)
,
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I was using in http and it was working like a charm, now I enabled HTTPS and I’m having some problems.

Now My Node won’t work, it’ll only shows the errors

Could not get plugins:

Getting plugins on node "5ad4c6a0-cf47-4c6e-914f-fa5d3fc053b5" failed: FetchError: There was an error fetching a resource: Internal Server Error. Additional information: None of the TrustManagers trust this certificate chain

and

Could not get JVM information:

Getting JVM information for node '5ad4c6a0-cf47-4c6e-914f-fa5d3fc053b5' failed: FetchError: There was an error fetching a resource: Internal Server Error. Additional information: None of the TrustManagers trust this certificate chain.

2. Describe your environment:
OS Information: Debian 12 on Vmware

I have a Graylog v.6.1.4 and DataNode v.6.1.4+7528370.

Java jdk 17.0.13

3. What steps have you already taken to try and solve the problem?

I tried many things, including editing the hosts and hostname and no luck.

Tried to verify the CA, the import was ok, I did as the tutorial , one is .pem while the other is .key and imported it via keytool.

I looked into the post of ZrytyADHD from but this one is on a docker and I’m not sure if this problem applies to mine.

I looked into many posts and others places, but it seems none is like mine.

I checked my files, as I looked on others, it’s ok the config, otherwise I wouldn’t be able to open the web page.

I did as is in this page as well How-To Guide: Securing Graylog with TLS

4. How can the community help?

Well, I wish that the community can show me a door so that I can enter and fix this problem so that I can help the community as well, since I’ll be using graylog and I must make this work, and for that, I wish someone could h show me what is wrong.

I thank you all for the help and guidance.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hi @renoturks,
Could you please provide us full datanode and graylog server logs? I’d need to understand which component is trying to communicate and is failing.

Have you configured TLS for the datanode as well? Uploaded your CA in the preflight interface?

Best regards,
Tomas

3

Good morning my friend, all good? I hope so.

Here’s the files that’s over 8MB

I’ve done so many things trying to make it work, but I think I did, because I followed the documentations.

If I’m not mistaken, I’ve read something about the data-node, but I couldn’t find a way to import the CA to it, as for the preflight interface, I did as the documentation and let it be on automatic.

The thing is that the system says the data-node is available.

Thanks for the answer and the help. I really want to use this, graylog is something exceptional.

4

I tried to put the domain on host file and now I’m getting this errors

Could not get plugins
Getting plugins on node “5ad4c6a0-cf47-4c6e-914f-fa5d3fc053b5” failed: FetchError: There was an error fetching a resource: Internal Server Error. Additional information: Hostname server.com not verified: certificate: sha256/oR3Z6OWXJfSXttw6lnLljXxl6FliayQ8nlebciPb2aQ= DN: CN=graylog.server.com subjectAltNames: [graylog.server.com]

Could not get JVM information
Getting JVM information for node ‘5ad4c6a0-cf47-4c6e-914f-fa5d3fc053b5’ failed: FetchError: There was an error fetching a resource: Internal Server Error. Additional information: Hostname server.com not verified: certificate: sha256/oR3Z6OWXJfSXttw6lnLljXxl6FliayQ8nlebciPb2aQ= DN: CN=graylog.server.com subjectAltNames: [graylog.server.com]

A question, How can I add my CA to the node? I only see the option to make it auto renew.

I found something about datanode and I did the following config.

# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog DataNode from init scripts or similar.
node_id_file = /etc/graylog/datanode/node-id

# location of your data-node configuration files - put additional files like manually created certificates etc. here
config_location = /etc/graylog/datanode

# Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)
password_secret = HASH-Code

# and put the resulting hash value into the following line
root_password_sha2 =

# connection to MongoDB, shared with the Graylog server
# See https://docs.mongodb.com/manual/reference/connection-string/ for details
mongodb_uri = mongodb://localhost/graylog

#### HTTP bind address

bind_address = 0.0.0.0
# The port where OpenSearch HTTP is listening on
#
# opensearch_http_port = 9200

http_publish_uri = https://graylog.domain.com:8999

# Enable TLS for HTTP
http_enable_tls = true
http_tls_cert_file = /opt/graylog/cert.pem
http_tls_key_file = /opt/graylog//privkey.pem
http_tls_key_password = secret

# Enable TLS for Transport Layer
transport_certificate = /etc/graylog/datanode/certs/fullchain.pem
#transport_certificate_password = secret
transport_certificate_key_file = /etc/graylog/datanode/certs/privkey.pem
#transport_certificate_key_password = secret

# Enable specific TLS protocols
enabled_tls_protocols = TLSv1.2,TLSv1.3

# Node name
node_name = datanode-01

# Root directory of the used opensearch distribution
opensearch_location = /usr/share/graylog-datanode/dist
opensearch_config_location = /var/lib/graylog-datanode/opensearch/config
opensearch_data_location = /var/lib/graylog-datanode/opensearch/data
opensearch_logs_location = /var/log/graylog-datanode/opensearch

# Cluster settings
opensearch_discovery_seed_hosts = graylog.domain.com
initial_cluster_manager_nodes = graylog.domain.com

# Log buffer size
process_logs_buffer_size = 1000

and the server.conf

# instances as leader. The leader will perform some periodical tasks that non-leaders won't perform.
is_leader = true

# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
node_id_file = /etc/graylog/server/node-id

# Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)
password_secret = hash-Code

# and put the resulting hash value into the following line
root_password_sha2 = HASHCODE
#root_password_sha2 = HASHCODE

# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
# Default is UTC
root_timezone = Brazil/East

# This directory contains binaries that are used by the Graylog server.
# Default: bin
bin_dir = /usr/share/graylog-server/bin

# Set the data directory here (relative or absolute)
# This directory is used to store Graylog server state.
data_dir = /var/lib/graylog-server

# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin

http_bind_address = 0.0.0.0:443

# Default: http://$http_bind_address/
#http_publish_uri = http://192.168.1.1:9000/
http_publish_uri = https://graylog.domain.com
#http_publish_uri = http://graylog.domain.com
#
# Default: false
http_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
http_tls_cert_file = /opt/graylog/fullchain.pem

# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
http_tls_key_file = /opt/graylog/privkey.key

# The password to unlock the private key used for securing the HTTP interface.
http_tls_key_password = secret

# especially on systems with great number of streams and fields.
stream_aware_field_types=false

# WARNING: At least one strategy must be enabled. Be careful when extending this list on existing installations!
disabled_retention_strategies = none,close

# be enabled with care. See also: https://docs.graylog.org/docs/query-language
allow_leading_wildcard_searches = false

# should only be enabled after making sure your Elasticsearch cluster has enough memory.
allow_highlighting = false

#  3. "on" (default) - field values are suggested for all field types, even the types where suggestions are inefficient performance-wise
field_value_suggestion_mode = on

# Example: output_batch_size = 10mb
output_batch_size = 500

# for this time period is less than output_batch_size * outputbuffer_processors.
output_flush_interval = 1

# not be tried again for an also configurable amount of seconds.
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30

#Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
processor_wait_strategy = blocking

# Must be a power of 2. (512, 1024, 2048, ...)
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_wait_strategy = blocking

# Enable the message journal.
message_journal_enabled = true

# Default: <data_dir>/journal
message_journal_dir = /var/lib/graylog-server/journal

# How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
# shutdown process. Set to 0 if you have no status checking load balancers in front.
lb_recognition_period_seconds = 3

# MongoDB connection string
# See https://docs.mongodb.com/manual/reference/connection-string/ for details
mongodb_uri = mongodb://localhost/graylog

# if you encounter MongoDB connection problems.
mongodb_max_connections = 1000

# An absolute path where scripts are permitted to be executed from.
integrations_scripts_dir = /usr/share/graylog-server/scripts