[PROBLEM] Ussing HTTPS


(Pmmivv) #1

What’s the solution for this error?

    [ProxiedResource] Unable to call https://xxx.xxx.10.199:12900/system/inputstates on node <ceb79a50-a3b3-4106-971e-286f2bb8c97f>
javax.net.ssl.SSLPeerUnverifiedException: Hostname 1xx.1xx.10.199 not verified:
    certificate: sha256/QtXKgN8JpHCs2S5Jms2XInHS18Y9m86iWGWbrPK5AX4=
    DN: EMAILADDRESS=(my.hide.mail)@(my.domain), CN=1xx.1xx.10.199, OU=graylog, O=mycompanny, L=porto, ST=porto, C=pt
    subjectAltNames: []
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:290) ~[graylog.jar:?]
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[graylog.jar:?]
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[graylog.jar:?]
	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192) ~[graylog.jar:?]
	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[graylog.jar:?]
	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) ~[graylog.jar:?]
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at org.graylog2.rest.RemoteInterfaceProvider.lambda$get$0(RemoteInterfaceProvider.java:59) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185) ~[graylog.jar:?]
	at okhttp3.RealCall.execute(RealCall.java:69) ~[graylog.jar:?]
	at retrofit2.OkHttpCall.execute(OkHttpCall.java:180) ~[graylog.jar:?]
	at org.graylog2.shared.rest.resources.ProxiedResource.lambda$getForAllNodes$0(ProxiedResource.java:76) ~[graylog.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_131]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

This appens when i try to use HTTPS on graylog, I can login, i can search but i can’t initialize the inputs and returns that error.

I’m using the latest beta of graylog and the same issue happens in 2.2.3
The certificats was generated by this toturial http://docs.graylog.org/en/2.2/pages/configuration/https.html.

Bests regarts
PV


(Jochen) #2

Is xxx.xxx.10.199 the Common Name (CN) you’ve been using in your certificates and did you add these certificates to the JVM trust store (if they were self-signed)?


(Pmmivv) #3

@jochen, the xxx.xxx are censure numbers, this specific value is the siem server ip and yes, i’ve add the cerfificate tu the JVM trust store because they are self signed


(Jochen) #4

Then I guess you’ve missed something in that process, because the JVM (or Java) is telling you, that it cannot verify the certificate: javax.net.ssl.SSLPeerUnverifiedException


(Pmmivv) #5

@jochen

I’ve use the followin command to insert the certificate

$ ./keytool -importcert -keystore ../lib/secure/cacerts -storepass changeit -alias graylog -file /etc/graylog/cert.pem

and when i do the comando ./keeytool to list the trusted certificates, the alias graylog is there.


(Jochen) #6

Not sure what ../lib/secure/cacerts is.

Please refer to http://docs.graylog.org/en/2.2/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store for information how to add certificates to the JVM trust store and set the appropriate JVM parameters.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.