Secure Multi-node environment

Hello. I’ve installed and configured a Graylog cluster (3 nodes) and I’m trying to configure HTTPS but I guess I’m doing something wrong. I have a wildcard.pfx certificate and I’m following the ‘Converting a PKCS #12 (PFX) file to private key and certificate pair’ procedure from Graylog documentation :

**$ openssl pkcs12 -in wildcard.pfx -nokeys -out graylog-certificate.pem**
**$ openssl pkcs12 -in wildcard.pfx -nocerts -out graylog-pkcs5.pem**
**$ openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem**

My config:

http_bind_address = 10.150.2.11:9000
http_publish_uri = https://10.150.2.11:9000/

http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/graylog-certificate.pem
http_tls_key_file = /etc/graylog/server/graylog-key.pem

Ive changed default JVM settings by adding -Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit and imported the cert file into the keystore with the following command:

keytool -importcert -keystore /etc/graylog/server/cacerts.jks -storepass changeit -alias gl01.xxxxx.com -file /etc/graylog/server/graylog-certificate.pem

However, I’m always getting the same error:

2020-11-17T11:56:11.234+01:00 ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/graylog/server/graylog-key.pem

I also tried with graylog:graylog but still getting the same error:

root@GL01:/etc/graylog/server# ls -l
total 68
lrwxrwxrwx 1 root root    27 Oct 22 16:49 cacerts.jks -> /etc/ssl/certs/java/cacerts
-rw------- 1 root root  2681 Nov 17 09:41 graylog-certificate.pem
-rw------- 1 root root  1874 Nov 17 09:42 graylog-key.pem

Are there any incompatibilities with GoDaddy Wildcard certificates?
Can somebody point me in the right direction?

Thanks

I’ve managed to solve the issue. I think documentation isn’t clear about enabling HTTPS using windows .pfx certificates.

1 step.Convert certs into the following format:

openssl pkcs12 -in WILDCARD.pfx -clcerts -nokeys -out graylog.cer
openssl pkcs12 -in WILDCARD.pfx -nocerts -nodes -out graylog.key

2 step. Change the Graylog configuration

http_publish_uri = https://gl.domain.com:9000/
http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/ graylog.cer
http_tls_key_file = /etc/graylog/server/graylog.key
#http_tls_key_password = secret

3 step: Copy Java Keystore to any folder:

cp -a /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts /etc/graylog/server/cacerts.jks

4 step. Add this to JVM settings in /etc/default/graylog-server

-Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit

5 step. Import certificate into the Keystore

keytool -importcert -keystore /etc/graylog/server/cacerts.jks -storepass changeit -alias gl.domain.com -file /etc/graylog/server/graylog.cer

restart Graylog services and boom:

image1341×680 169 KB

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.