Self signed certificate disabling inputs from running


#1

Hello All,

I am trying to install self signed certificate only for testing purpose. I did so by following this section of the documentation: http://docs.graylog.org/en/2.2/pages/configuration/https.html

but when I use the certificate my inputs stop running. (i.e.

)

Also this is the section in server.conf where I do the changes:

rest_enable_tls = True

# The X.509 certificate chain file in PEM format to use for securing the REST API.
rest_tls_cert_file = /etc/ssl/cert.pem

# The PKCS#8 private key file in PEM format to use for securing the REST API.
rest_tls_key_file = /etc/ssl/pkcs8-plain.pem

# The password to unlock the private key used for securing the REST API.
rest_tls_key_password =

web_enable_tls = True

# The X.509 certificate chain file in PEM format to use for securing the web interface.
web_tls_cert_file = /etc/ssl/cert.pem

# The PKCS#8 private key file in PEM format to use for securing the web interface.
web_tls_key_file = /etc/ssl/pkcs8-plain.pem

# The password to unlock the private key used for securing the web interface.
web_tls_key_password =

Any help in any direction would be much appreciated. Thanks in advance.


(GT) #2

What is in your Graylog log files?

http://docs.graylog.org/en/2.2/pages/configuration/file_location.html


#3


(Jan Doberstein) #4

your hostname does not match the certificate (at least is that the error i can see … )


#5

I noticed that, but I am generating the certificate in that host, so I don’t know so far where the problem lies


(Jochen) #6

“10.0.0.12” (what you’ve configured in the Graylog configuration file in rest_listen_uri or rest_transport_uri) is not the same as “geolad” (which is the Common Name/CN of the certificate you’ve created).


#7

Reproducing the problem:

  • I changed the CN to the ip I am using which is: 10.0.1.30
  • Configured the server.conf as follows:

rest_listen_uri = http://0.0.0.0:9000/api/
rest_tls_cert_file = /etc/ssl/gray-cert/cert.pem
rest_tls_key_file = /etc/ssl/gray-cert/pkcs8-plain.pem
web_listen_uri = https://0.0.0.0:9000/
web_endpoint_uri = https://10.0.1.30:9000/api/
web_tls_cert_file = /etc/ssl/gray-cert/cert.pem
web_tls_key_file = /etc/ssl/gray-cert/pkcs8-plain.pem

  • Added the certificate to the java store,checked that it is there and added the following to JAVA_OPTS:

-Djavax.net.ssl.trustStore=/etc/ssl/cacerts/cacerts.jks"

Output in server.log:

Please tell me what to change in order to get it working.

Cheers


#8

I changed the following:
rest_listen_uri = http://10.0.1.30:9000/api/
rest_transport_uri = http://10.0.1.30:9000/
web_listen_uri = http://10.0.1.30:9000/
elasticsearch_discovery_zen_ping_unicast_hosts = 10.0.1.30:9300

Now I receive a different output:


#9

Thanks a lot Jochen, I had to use a DNS instead of an IP to get it working.


(system) #10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.