That’s life… Sometimes things are not going as planned haha
No problem, I won’t have time to work on this this afternoon so tomorrow is okay for me.
I commented the line, and tried putting the password between quotes before commenting but none of this worked out for me.
File named openssl-graylog.cnf with the following content.
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
# Details about the issuer of the certificate
C = US
ST = iowa
L = cedar rapids
O = enseva
OU = admin
CN = graylog.domain.com
keyUsage = keyEncipherment, dataEncipherment,nonRepudiation
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
IP.1 = 192.168.1.100
DNS.1 = graylog.domain.com
Insure JVM to pick up the trust store, it has to be started with the JVM parameter and Graylog has access to keystore and the certificates. I used the Default keystore “cacerts”.
If the keystore has password you may need this config
Hello @gmorin, @gsmith,
the exception about unsigned classes is kind of interesting (I missed that completely…), but would indicate some of the Graylog classes would be unsigned. If so, I guess we all should have run into that problem. (Well, theoretically; unfortunately, practis and theory do not always match.)
Right now, I suspect there is something wrong with the certificate, because - after comparing @gsmith and my own notes, it relay seems the setup should be clean by now.
I finally managed to make HTTPS working the official way !
I think it was a java-related issue, due to my java 17 installation on Debian 10.
I know that Debian 11 is not officially supported by Graylog for now, but that’s the way I went. I created a new server this weekend and reinstalled Graylog from scratch. Thanks to Debian 11, I have now access to the OpenJDK 17. I reused the certs files I made, following the tutorial and your tips and it now works.
Many thanks !!
Next step is to reimport the previous server configuration (pipelines, streams and inputs). Is it any way to export/reimport it, or do I have to do it by hands ? (not a big deal if not ^^)