Remote checks have failed too many times

Graylog Central (peer support)
1

Hi all,

I’ve installed 3 node graylog cluster and activated a free graylog enterprise license.
I’m getting the following “violations detected” error:

Remote checks have failed too many times

Inspecting the /var/log/graylog-server/server.log I’ve found the following warning:
[LicenseReportPeriodical] Unable to connect to license server: the trustAnchors parameter must be non-empty

[LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures…

Debian GNU/Linux 9.13 (stretch)

openjdk version “11.0.6” 2020-01-14
OpenJDK Runtime Environment (build 11.0.6+10-post-Debian-1bpo91)
OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Debian-1bpo91, mixed mode, sharing)

graylog version is 3.3.8+e223f85, codename Sloth Rocket

many thanks in advance for your help

2

If you use Enterprise licence graylog periodically connect to api to check, if you don’t violate license.

  1. Check if https://api.graylog.com URL is accessible from graylog box (code 200):
    curl -SI https://api.graylog.com
  1. Check your java trust store, if you changed default path. If you replaced java trust store with own, check, it it also contains root CA, that uses graylog api URL (Sectigo -> USERTrust RSA Certification Authority)
2 Likes
3

hi,

the api URL is accessible

curl -SI https://api.graylog.com

HTTP/1.1 200 OK
Server: Cowboy
Connection: keep-alive
Content-Type: text/plain
Content-Length: 133
Via: 1.1 vegur

This is a fresh installation and I have not changed the default path.
How can I better investigate this issue?

4

does your system need to use a proxy to connect to the internet?

5

Hi Jan,

the system use no proxy to connect to the internet.

6

copying the cacerts from a working server I’ve solved the issue.

/etc/ssl/certs/java/cacerts

I would still like to understand what happened,
anyone have an idea about it?

7

Hello all,

I had the same issue.
To solve it:

  • replace the java trust store by the one backuped before adding personnal certificate
  • restart Graylog
  • license check was ok
  • change again the java trust store by the one containing personal certificate (to avoid an error I had to access to /api/api-browser)
  • restart Graylog
  • license check was still ok

I hope now that license check will be always ok.
If it is the case, that is meaning that the issue occurs only for the first attempts to reach api.graylog.com

Hope this helps.

1 Like
8

you have created an empty trust store when you have added your local self signed certifcate that was added to the Graylog startup parameters.

With this empty truststore Graylog was not able to verify certificates

9

Is there any version of this product that doesn’t have to constantly phone home to check the license? We are in air-gapped environments. None of the machines can get to the internet on purpose. Is there a way to use this product in such an environment? Please let me know.

10

If you don’t use the free enterprise license / features then you don’t have to worry about the license checks. Just remove the enterprise plugins and free enterprise license. Otherwise my understanding is there is a paid enterprise license option that can accommodate air gapped environments.

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.