Secure Multi-node environment

azamat.uzhangaliyev · November 17, 2020, 11:01am

Hello. I’ve installed and configured a Graylog cluster (3 nodes) and I’m trying to configure HTTPS but I guess I’m doing something wrong. I have a wildcard.pfx certificate and I’m following the ‘Converting a PKCS #12 (PFX) file to private key and certificate pair’ procedure from Graylog documentation :

**$ openssl pkcs12 -in wildcard.pfx -nokeys -out graylog-certificate.pem**
**$ openssl pkcs12 -in wildcard.pfx -nocerts -out graylog-pkcs5.pem**
**$ openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem**

My config:

http_bind_address = 10.150.2.11:9000
http_publish_uri = https://10.150.2.11:9000/

http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/graylog-certificate.pem
http_tls_key_file = /etc/graylog/server/graylog-key.pem

Ive changed default JVM settings by adding -Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit and imported the cert file into the keystore with the following command:

keytool -importcert -keystore /etc/graylog/server/cacerts.jks -storepass changeit -alias gl01.xxxxx.com -file /etc/graylog/server/graylog-certificate.pem

However, I’m always getting the same error:

2020-11-17T11:56:11.234+01:00 ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /etc/graylog/server/graylog-key.pem

I also tried with graylog:graylog but still getting the same error:

root@GL01:/etc/graylog/server# ls -l
total 68
lrwxrwxrwx 1 root root    27 Oct 22 16:49 cacerts.jks -> /etc/ssl/certs/java/cacerts
-rw------- 1 root root  2681 Nov 17 09:41 graylog-certificate.pem
-rw------- 1 root root  1874 Nov 17 09:42 graylog-key.pem

Are there any incompatibilities with GoDaddy Wildcard certificates?
Can somebody point me in the right direction?

Thanks

azamat.uzhangaliyev · November 18, 2020, 11:14am

I’ve managed to solve the issue. I think documentation isn’t clear about enabling HTTPS using windows .pfx certificates.

1 step.Convert certs into the following format:

openssl pkcs12 -in WILDCARD.pfx -clcerts -nokeys -out graylog.cer
openssl pkcs12 -in WILDCARD.pfx -nocerts -nodes -out graylog.key

2 step. Change the Graylog configuration

http_publish_uri = https://gl.domain.com:9000/
http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/ graylog.cer
http_tls_key_file = /etc/graylog/server/graylog.key
#http_tls_key_password = secret

3 step: Copy Java Keystore to any folder:

cp -a /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts /etc/graylog/server/cacerts.jks

4 step. Add this to JVM settings in /etc/default/graylog-server

-Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit

5 step. Import certificate into the Keystore

keytool -importcert -keystore /etc/graylog/server/cacerts.jks -storepass changeit -alias gl.domain.com -file /etc/graylog/server/graylog.cer

restart Graylog services and boom:

system · December 2, 2020, 11:14am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog 3.0.2 https Graylog Central (peer support) sidecar	11	4352	September 2, 2019
Just another user struggling with HTTPS Graylog Central (peer support)	4	34	September 12, 2024
Graylog 3.2 HTTPS private key issue Graylog Central (peer support)	4	2167	May 29, 2020
Graylog SSL Certificates Graylog Central (peer support)	5	8184	January 3, 2019
Graylog https access issue Graylog Central (peer support) sidecar , nxlog , nodatanx	22	2646	March 30, 2018

Secure Multi-node environment

Related topics