[PROBLEM] Ussing HTTPS

pmmivv · June 30, 2017, 11:28am

What’s the solution for this error?

    [ProxiedResource] Unable to call https://xxx.xxx.10.199:12900/system/inputstates on node <ceb79a50-a3b3-4106-971e-286f2bb8c97f>
javax.net.ssl.SSLPeerUnverifiedException: Hostname 1xx.1xx.10.199 not verified:
    certificate: sha256/QtXKgN8JpHCs2S5Jms2XInHS18Y9m86iWGWbrPK5AX4=
    DN: EMAILADDRESS=(my.hide.mail)@(my.domain), CN=1xx.1xx.10.199, OU=graylog, O=mycompanny, L=porto, ST=porto, C=pt
    subjectAltNames: []
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:290) ~[graylog.jar:?]
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[graylog.jar:?]
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[graylog.jar:?]
	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192) ~[graylog.jar:?]
	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[graylog.jar:?]
	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) ~[graylog.jar:?]
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at org.graylog2.rest.RemoteInterfaceProvider.lambda$get$0(RemoteInterfaceProvider.java:59) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185) ~[graylog.jar:?]
	at okhttp3.RealCall.execute(RealCall.java:69) ~[graylog.jar:?]
	at retrofit2.OkHttpCall.execute(OkHttpCall.java:180) ~[graylog.jar:?]
	at org.graylog2.shared.rest.resources.ProxiedResource.lambda$getForAllNodes$0(ProxiedResource.java:76) ~[graylog.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_131]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

This appens when i try to use HTTPS on graylog, I can login, i can search but i can’t initialize the inputs and returns that error.

I’m using the latest beta of graylog and the same issue happens in 2.2.3
The certificats was generated by this toturial http://docs.graylog.org/en/2.2/pages/configuration/https.html.

Bests regarts
PV

jochen · June 30, 2017, 1:13pm

Is xxx.xxx.10.199 the Common Name (CN) you’ve been using in your certificates and did you add these certificates to the JVM trust store (if they were self-signed)?

pmmivv · June 30, 2017, 1:15pm

@jochen, the xxx.xxx are censure numbers, this specific value is the siem server ip and yes, i’ve add the cerfificate tu the JVM trust store because they are self signed

jochen · June 30, 2017, 1:23pm

Then I guess you’ve missed something in that process, because the JVM (or Java) is telling you, that it cannot verify the certificate: javax.net.ssl.SSLPeerUnverifiedException

pmmivv · June 30, 2017, 1:29pm

@jochen

I’ve use the followin command to insert the certificate

$ ./keytool -importcert -keystore ../lib/secure/cacerts -storepass changeit -alias graylog -file /etc/graylog/cert.pem

and when i do the comando ./keeytool to list the trusted certificates, the alias graylog is there.

jochen · June 30, 2017, 2:06pm

Not sure what ../lib/secure/cacerts is.

Please refer to http://docs.graylog.org/en/2.2/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store for information how to add certificates to the JVM trust store and set the appropriate JVM parameters.

system · July 14, 2017, 2:06pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog, LoadBalancer and SSL Graylog Central (peer support)	4	956	February 6, 2018
SSL Issues ProxiedResource Unable to call Hostname not verified Graylog Central (peer support)	5	2178	December 15, 2021
Issues with reverse DNS and picky certs Graylog Central (peer support)	2	1027	August 21, 2018
Java - certification issue Graylog Central (peer support)	4	1105	June 14, 2017
Certificate Issue after 3.0 Upgrade Graylog Central (peer support)	18	2327	July 23, 2019

[PROBLEM] Ussing HTTPS

Related Topics