Setting up HTTPS for ui using self-signed cert


(Heather) #1

I am using the following doc to setup https: http://docs.graylog.org/en/2.4/pages/configuration/https.html#ssl-setup. I am a Graylog newb and a newb at adding https to java aps, which is likely the cause for my confusion.

I have Graylog 2.5 operating system package running on an Ubuntu 16.04 server (single node setup)

I have made the following changes to server.conf:

rest_enable_tls = true
web_enable_tls = true

And also added the following, with the appropriate values:

web_listen_uri = https://domain.com:9000/
rest_listen_uri = https://domain.com:9000/api
web_tls_key_password = *****
web_tls_cert_file = /path/cert.pem
web_tls_key_file = /path/pkcs8-encrypted.pem

I added the self-signed cert to the JVM trust store. These two directions at the end of the doc are not clear, I don’t know what I am supposed to do:

"In order for the JVM to pick up the new trust store, it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks"

“Most start and init scripts for Graylog provide a JAVA_OPTS variable which can be used to pass the javax.net.ssl.trustStore and (optionally) javax.net.ssl.trustStorePassword system properties.”

I tried restarting the graylog service after making the above changes, but HTTPS requests to the url return the following:
“This site can’t be reached
domain.com refused to connect.”


(Jan Doberstein) #2

if you look in the documentation for 2.5 ( http://docs.graylog.org/en/2.5/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store ) the note is given with:

The default location to change the JVM parameter depends on your installation type and is documented with all other default locations.

This will redirect to http://docs.graylog.org/en/2.5/pages/configuration/file_location.html#default-file-location

You wrote that you use Ubuntu and the OS package installation, so the section you need to look is http://docs.graylog.org/en/2.5/pages/configuration/file_location.html#graylog

That sections displays the following: JVM settings /etc/default/graylog-server

The JVM Parameter need to be adjusted in the above location.


(Tess) #3

That message seems to be unrelated to certificates. It is telling you that either you have entered the wrong URL, or your server isn’t even running. Of course, the server could refuse to start if it can’t read the cert files you’re pointing it towards :wink:

Also, adding the self-signed certificate to the JVM trust store should not affect the startup of the web interface itself. However, each system or application connecting to the Graylog server (like Sidecar Collectors and other Graylog cluster nodes) will in fact need to have the self-signed cert trusted.

Mind you, this means that if you have a Graylog cluster of 1 master and 2 slave systems, you will need to ensure that each of these three hosts trusts all three self-signed certificates. And worse, if your Sidecar collectors will be talking to each of these three hosts, then you will also need to add the certs to their trust stores.

Self-signed certs are a quick way to heck, as far as I’m concerned. If this is a quick test environment, by all means disabled certificate validation. But if this is for production use, I would seriously recommend adding official certificates!


(system) closed #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.