SSL Issues ProxiedResource Unable to call Hostname not verified

gsmith · November 30, 2021, 3:25am

Tg9DCnHB3azWmpJ7b:

2021-11-29T15:51:19.906Z WARN  [ProxiedResource] Unable to call https://xxx.xxx.xxx.xxx:9000/api/system/inputstates on node <xxxx-xxxx-xxxx-xxxx-xxxx>: Hostname xxx.xxx.xxx.xxx not verified:
    certificate: sha256/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    DN: CN=*.example.com
    subjectAltNames: [*.example.com, example.com]

Hello && Welcome
The above error can be a couple things. Since your able to log on the Graylog Web UI. Here is a list to check for your GELF TCP/TLS input.

TLS cert file make sure Graylog has access to this cert
/etc/graylog/graylog3-certificate.pem
TLS private key file make sure Graylog has access to this cert
. /etc/graylog/graylog3-key.pem
If you’re using a TLS key password, make sure it’s set in the Graylog server.conf file also
Secret

Make sure your Keystore in accessible to Graylog
Make sure your DNS server has a PTR (Reverse Lookup)for your Graylog server or what you used for the domain.
Make sure you have the following. NOTE: IP Address is preferred in the certs that point to your Graylog server etc…

subjectAltName = @alt_names
# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
IP.1 = 203.0.113.42
DNS.1 = graylog.example.com

More can be found here
https://docs.graylog.org/v1/docs/https
Sometime Windows have a problem running wild card certs we’ve have experienced this in the past and ended up not using them. Sometimes we were luck and had no problems.

Hope that helps

EDIT: I probably should have shown my setup for better clarity

http_bind_address = graylog.domain.com:9000
http_publish_uri = https://domain.com:9000/
http_enable_cors = true
http_enable_tls = true
http_tls_cert_file = /etc/pki/tls/certs/graylog/graylog-certificate.pem <-- Graylog owns this directory an  has access
http_tls_key_file = /etc/pki/tls/certs/graylog/graylog-key.pem <-- Graylog owns this directory an  has access
http_tls_key_password = secret

If your not using the default JAVA keystore then the following will apply to you.

In order for the JVM to pick up the new trust store, it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks. If you’ve been using another password to encrypt the JVM trust store than the default changeit, you additionally have to set the JVM parameter -Djavax.net.ssl.trustStorePassword=secret

Topic		Replies	Views
After SSL - Hostname not verified Graylog Central (peer support)	13	6786	March 24, 2021
Issues with reverse DNS and picky certs Graylog Central (peer support)	2	1059	August 21, 2018
Issue with Docker and SSL Graylog Central (peer support)	2	3018	August 14, 2018
[PROBLEM] Ussing HTTPS Graylog Central (peer support)	6	1214	July 14, 2017
Best aproach for SSL in graylog Graylog Central (peer support)	17	3196	October 2, 2019

SSL Issues ProxiedResource Unable to call Hostname not verified

Related topics