We are unable to make Inputs work when securing the Web Interface.
The Certificate is a wildcard certificate for our domain created with Let’s Encrypt (using example.com in this case).
The Web Interface works fine but the Inputs are not able to start and we can see the following warning in the log over and over again:
graylog docker WARN : org.graylog2.shared.rest.resources.ProxiedResource - failed to call API on node <fcb0cec2-55cf-4e1b-aa64-6973b048c04a>, cause: None of the TrustManagers trust this certificate chain. (duration: 13 ms)
2. Describe your environment:
graylog:
hostname: "server"
image: "${GRAYLOG_IMAGE:-graylog/graylog:7.0}"
depends_on:
mongodb:
condition: "service_started"
datanode:
condition: "service_started"
entrypoint: "/usr/bin/tini -- /docker-entrypoint.sh"
environment:
GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id"
# GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
GRAYLOG_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"
GRAYLOG_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}"
GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
GRAYLOG_HTTP_EXTERNAL_URI: "https://graylog.example.com/"
GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
GRAYLOG_HTTP_PUBLISH_URI: "https://graylog.example.com/"
GRAYLOG_HTTP_ENABLE_TLS: true
GRAYLOG_HTTP_TLS_CERT_FILE: "/etc/graylog/certs/_.example.com-cert.pem"
GRAYLOG_HTTP_TLS_KEY_FILE: "/etc/graylog/certs/_.example.com-key.pem"
ports:
- "127.0.0.1:5044:5044/tcp" # Beats
- "127.0.0.1:5140:5140/udp" # Syslog
- "127.0.0.1:5140:5140/tcp" # Syslog
- "127.0.0.1:5555:5555/tcp" # RAW TCP
- "127.0.0.1:5555:5555/udp" # RAW UDP
- "127.0.0.1:9000:9000/tcp" # Server API
- "80:9000/tcp" # Web interface
- "443:9000/tcp" # Web interface
- "127.0.0.1:12201:12201/tcp" # GELF TCP
- "127.0.0.1:12201:12201/udp" # GELF UDP
#- "127.0.0.1:10000:10000/tcp" # Custom TCP port
#- "127.0.0.1:10000:10000/udp" # Custom UDP port
- "127.0.0.1:13301:13301/tcp" # Forwarder data
- "127.0.0.1:13302:13302/tcp" # Forwarder config
networks:
- graylog
volumes:
- "graylog_data:/usr/share/graylog/data/data"
- "./certs:/etc/graylog/certs:ro"
restart: "on-failure"
We have only added the directory in volumes and changed the environment section to load our certs and enable TLS.
We see no further steps needed in the documentation, what part are we missing?
Is there a way with docker compose and environment files to create and add the Java Keystore or do i have to boot up the container and do those steps manually in the container cli?
The certifacte we try to implement is issued by Let’s Encrypt so I assume we should be able to omit adding the CA root certificate since it is already trusted.
The best route would be to copy cacerts from a java distribution, add your CA to this and then mount it via a volume within your compose file. The Djavax.net.ssl.trustStore option could technically point anywhere.
It can be copied from a Graylog container to a local destination
So, I was able to make it work by having a look at the docker-entrypoint.sh script.
The script checks for certificates inside a root “certificates” directory in .crt format. I converted our .pem formatted certificate to .crt with OpenSSL like so:
openssl x509 -outform der -in your-cert.pem -out your-cert.crt
I changed the volume mount to put my certificates into said directory.
graylog:
hostname: "server"
image: "${GRAYLOG_IMAGE:-graylog/graylog:7.0}"
depends_on:
mongodb:
condition: "service_started"
datanode:
condition: "service_started"
entrypoint: "/usr/bin/tini -- /docker-entrypoint.sh"
environment:
GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id"
# GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
GRAYLOG_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"
GRAYLOG_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}"
GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
GRAYLOG_HTTP_EXTERNAL_URI: "https://graylog.example.com/"
GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
GRAYLOG_HTTP_PUBLISH_URI: "https://graylog.example.com/"
GRAYLOG_HTTP_ENABLE_TLS: true
GRAYLOG_HTTP_TLS_CERT_FILE: "/certificates/_.example.com-cert.pem"
GRAYLOG_HTTP_TLS_KEY_FILE: "/certificates/_.example.com-key.pem"
ports:
- "127.0.0.1:5044:5044/tcp" # Beats
- "127.0.0.1:5140:5140/udp" # Syslog
- "127.0.0.1:5140:5140/tcp" # Syslog
- "127.0.0.1:5555:5555/tcp" # RAW TCP
- "127.0.0.1:5555:5555/udp" # RAW UDP
- "127.0.0.1:9000:9000/tcp" # Server API
- "80:9000/tcp" # Web interface
- "443:9000/tcp" # Web interface
- "127.0.0.1:12201:12201/tcp" # GELF TCP
- "127.0.0.1:12201:12201/udp" # GELF UDP
#- "127.0.0.1:10000:10000/tcp" # Custom TCP port
#- "127.0.0.1:10000:10000/udp" # Custom UDP port
- "127.0.0.1:13301:13301/tcp" # Forwarder data
- "127.0.0.1:13302:13302/tcp" # Forwarder config
networks:
- graylog
volumes:
- "graylog_data:/usr/share/graylog/data/data"
- "./certs:/certificates"
restart: "on-failure"
Restarting the containers applied the certificate to the JKS as I would have expected from the get-go.
