triscint
(Christian Steinkopf)
February 13, 2018, 4:54pm
1
Hello,
I am new to this forum and I am not a expert in graylog or linux so forgive me if this problem is basic stuff.
Following documentation: http://docs.graylog.org/en/2.4/pages/configuration/https.html to enable https on graylog web interface I run into problems when running the command below.
openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
139860564162200:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
I am creating the certificates before enabling tls though the server config file. I hope this is the right order of things.
Any help welcome
-triscint
jochen
(Jochen)
February 13, 2018, 5:54pm
2
Is this the complete output of the given OpenSSL command?
Are you sure that there is no passphrase set for the PKCS12 key store (the PFX file)?
Other than that, I can only refer you to Google:
https://www.google.de/search?q=openssl+pkcs12+“ASN1_get_object%3Aheader+too+long”
triscint
(Christian Steinkopf)
February 13, 2018, 8:18pm
3
root@ubuntu-graylog:
/etc/graylog/server# openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
139974431352472:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
root@ubuntu-graylog:/etc/graylog/server#
That is the full output of the command. I got to this point just by copy and pasting most commands in the refferenced configuration. Did I screw up a possible command before this one that would lead me to this point?
triscint
(Christian Steinkopf)
February 13, 2018, 8:23pm
4
root@ubuntu-graylog:/etc/graylog/server# openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
Generating a 2048 bit RSA private key
..+++
..........+++
writing new private key to 'pkcs5-plain.pem'
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
Error opening input file keystore.pfx
keystore.pfx: No such file or directory
root@ubuntu-graylog:/etc/graylog/server# touch keystore.pfx
root@ubuntu-graylog:/etc/graylog/server# ls
cert.pem log4j2.xml openssl-graylog.cnf pkcs8-encrypted.pem server.conf
keystore.pfx node-id pkcs5-plain.pem pkcs8-plain.pem
root@ubuntu-graylog:/etc/graylog/server# openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
139860564162200:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
Is the problem with -passout pass:secret:
Was that supposed to be an actual password that I configure?
jochen
(Jochen)
February 14, 2018, 8:25am
5
You’re mixing up a few things. If you don’t have and existing PKCS#12 key store (PFX file) from which you want to export a private key and certificate for Graylog, you don’t have to run these commands.
An empty file (touch keystore.pfx
) isn’t a valid PKCS#12 key store.
triscint
(Christian Steinkopf)
February 14, 2018, 2:27pm
6
okay. I see through context clues now that should have been obvious. That is what I get for just going down the page and copying commands into putty. Just double checking, besides creating a self-signed certificate and then enabling the appropriate server.conf settings is there any other steps I need to take to get https to work? not including optional steps like disabling certain algorithms.
jochen
(Jochen)
February 14, 2018, 2:56pm
7
You’ll have to add your custom certificates to the JVM trust store as described in the HTTPS chapter of the Graylog documentation.
system
(system)
Closed
February 28, 2018, 2:56pm
8
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.