That’s life… Sometimes things are not going as planned haha
No problem, I won’t have time to work on this this afternoon so tomorrow is okay for me.
I commented the line, and tried putting the password between quotes before commenting but none of this worked out for me.
Hello,
Sorry to see your still having troubles. I went through my personal documentation for issues with Graylog Self-signed certificates. Couple issues I was able to fix was this.
File named openssl-graylog.cnf with the following content.
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
# Details about the issuer of the certificate
[req_distinguished_name]
C = US
ST = iowa
L = cedar rapids
O = enseva
OU = admin
CN = graylog.domain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment,nonRepudiation
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
IP.1 = 192.168.1.100
DNS.1 = graylog.domain.com
Insure JVM to pick up the trust store, it has to be started with the JVM parameter and Graylog has access to keystore and the certificates. I used the Default keystore “cacerts”.
-Djavax.net.ssl.trustStore=/path/to/cacerts.jks
If the keystore has password you may need this config
The resulting PKCS#8 private key (graylog-key.pem) and the X.509 certificate (graylog-certificate.pem) can now be used to enable encrypted connections which will be used on the Input with TCP/TLS.
The certificate that will be install in the keystore is the one that is created below.
Hello @gmorin, @gsmith,
the exception about unsigned classes is kind of interesting (I missed that completely…), but would indicate some of the Graylog classes would be unsigned. If so, I guess we all should have run into that problem. (Well, theoretically; unfortunately, practis and theory do not always match.)
Right now, I suspect there is something wrong with the certificate, because - after comparing @gsmith and my own notes, it relay seems the setup should be clean by now.
I finally managed to make HTTPS working the official way !
I think it was a java-related issue, due to my java 17 installation on Debian 10.
I know that Debian 11 is not officially supported by Graylog for now, but that’s the way I went. I created a new server this weekend and reinstalled Graylog from scratch. Thanks to Debian 11, I have now access to the OpenJDK 17. I reused the certs files I made, following the tutorial and your tips and it now works.
Many thanks !!
Next step is to reimport the previous server configuration (pipelines, streams and inputs). Is it any way to export/reimport it, or do I have to do it by hands ? (not a big deal if not ^^)
Hey, these are great news!
Nice to hear it is running now; about the export I’m afraid I can’t help - I know it is possible to export extractors as jason-Files, but have no idea about the rest.