Hello,
I might have to agree with you, hence why I was asking those questions I was trying to narrow it down.
Fortunately I’m spoiled at my work and I have a large amount of resources to my needs. AD, DNS, etc… within my lab. The best I can do is show you my Lab-Graylog setup.
graylog_config
http_bind_address = graylog.domain.com:9000
http_publish_uri = https://graylog.domain:9000/
http_enable_cors = true
http_enable_tls = true
http_tls_cert_file = /etc/pki/tls/certs/graylog/graylog-certificate.pem
http_tls_key_file = /etc/pki/tls/certs/graylog/graylog-key.pem
http_tls_key_password = secret
Hosts_file
[root@graylog graylog_user]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
20.20.20.20 graylog.domain.com
hostname
[root@graylog graylog_user]# hostname
graylog.domain.com
[root@graylog graylog_user]#
I had to dig through my documents on this and it stated “Make sure I have Reverse DNS lookup in my DNS server”
Just to make sure did you double check you keystore to making sure Graylog has access?
root# ls -l /etc/graylog/server/certificates/cacerts.jks
I dug up my old post from version 2.0. Even thou the server.conf file has changed maybe there might be something in there that may help you. But I believe the error is the same.
Hope that helps
EDIT: I forgot to ask you, did you check you certs in the keystore?
keytool -list -v -keystore keystore.jks -alias graylog.example.com
Here is an example of my old one. Notice my SubjectAlternativeName.
Cert_info
[root@graylog graylog]# keytool -list -v -keystore graylog_keystore.jks -alias graylog.domain.com
Enter keystore password: secret
Alias name: graylog.domain.com
Creation date: Sep 24, 2021
Entry type: trustedCertEntry
Owner: CN=graylog.domain.com, OU=admin, O=labs, L=cedar rapids, ST=iowa, C=us
Issuer: CN=graylog.domain.com, OU=admin, O=labs, L=cedar rapids, ST=iowa, C=us
Serial number: a7960790f745f617
Valid from: Wed Dec 16 16:52:41 CST 2020 until: Sat Dec 16 16:52:41 CST 2023
Certificate fingerprints:
SHA1: 22:30:C4:D3:56:3C:7C:4D:7A:82:3F:36:AF:A2:6C:29:29:3C:C1:C5
SHA256: FD:34:CC:DD:AC:7A:83:3D:11:70:FC:8C:E6:30:43:1B:4A:59:48:FC:B1:A1:0A:E8:0B:72:79:40:1E:CA:C5:91
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0A C6 A4 E7 29 38 B7 1A 67 13 33 5D 9E 61 81 2B ....)8..g.3].a.+
0010: 42 8E B5 D2 B...
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: graylog.domain.com
IPAddress: 20.20.20.20
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0A C6 A4 E7 29 38 B7 1A 67 13 33 5D 9E 61 81 2B ....)8..g.3].a.+
0010: 42 8E B5 D2 B...
]
]