Struggling with HTTPS & SSL

That’s life… Sometimes things are not going as planned haha :upside_down_face:

No problem, I won’t have time to work on this this afternoon so tomorrow is okay for me.
I commented the line, and tried putting the password between quotes before commenting but none of this worked out for me.

Hello,
Sorry to see your still having troubles. I went through my personal documentation for issues with Graylog Self-signed certificates. Couple issues I was able to fix was this.

[v3_req]
keyUsage = keyEncipherment, dataEncipherment,nonRepudiation

File named openssl-graylog.cnf with the following content.

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
# Details about the issuer of the certificate
[req_distinguished_name]
C = US
ST = iowa
L = cedar rapids
O = enseva
OU = admin
CN = graylog.domain.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment,nonRepudiation
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
IP.1 = 192.168.1.100
DNS.1 = graylog.domain.com

Insure JVM to pick up the trust store, it has to be started with the JVM parameter and Graylog has access to keystore and the certificates. I used the Default keystore “cacerts”.

-Djavax.net.ssl.trustStore=/path/to/cacerts.jks

If the keystore has password you may need this config

-Djavax.net.ssl.trustStorePassword=secret

Hope that helps

@gmorin

I beieve @oebhardt is correct.

The resulting PKCS#8 private key (graylog-key.pem) and the X.509 certificate (graylog-certificate.pem) can now be used to enable encrypted connections which will be used on the Input with TCP/TLS.

The certificate that will be install in the keystore is the one that is created below.

$ openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

Then import that cert called cert.pem

$ keytool -importcert -keystore /path/to/cacerts.jks -storepass changeit -alias graylog-self-signed -file cert.pem

In your case I believe it should have been the certificate called “ca.crt”.

@gmorin The reason I stated this is from this statement above.

Then I seen this statement

ADDED NOTE: If a directory was create in Graylogs home directory, ensure Graylog has permission to that directory.

Example:

chown graylog:graylog -R /etc/graylog/server/certificates 

Also after re-reading the server logs I noticed this error.

Caused by: java.util.jar.JarException: The JCE Provider file:/usr/share/graylog-server/graylog.jar is not signed.

I found here…

Hope that helps.

Hello @gmorin, @gsmith,
the exception about unsigned classes is kind of interesting (I missed that completely…), but would indicate some of the Graylog classes would be unsigned. If so, I guess we all should have run into that problem. (Well, theoretically; unfortunately, practis and theory do not always match.)

Right now, I suspect there is something wrong with the certificate, because - after comparing @gsmith and my own notes, it relay seems the setup should be clean by now.

So, @gmorin, could you please share the output of

openssl x509 -in *YourCertificate-File* -noout -text

so we could see if there is something wrong with it?

1 Like

Hi,
it’s possible to use NGINX or Apache as a reverse proxy

Hi @H077E,
That’s my current setup ! :slight_smile: But it’s not suited for my usecase… :confused:
That’s why I’m trying to get the ‘official way’ working :stuck_out_tongue:

1 Like

I understand that. I’m looking forward to the solution to your problem.
Unfortunately I can’t help you here. :hear_no_evil:

Hi @gmorin,
did You have time to do the SSL, so we could check the certificate?
openssl x509 -in *YourCertificate-File* -noout -text

1 Like

Hi @oebhardt, @gsmith,

I finally managed to make HTTPS working the official way ! :partying_face:

I think it was a java-related issue, due to my java 17 installation on Debian 10.

I know that Debian 11 is not officially supported by Graylog for now, but that’s the way I went. I created a new server this weekend and reinstalled Graylog from scratch. Thanks to Debian 11, I have now access to the OpenJDK 17. I reused the certs files I made, following the tutorial and your tips and it now works.

Many thanks !!

Next step is to reimport the previous server configuration (pipelines, streams and inputs). Is it any way to export/reimport it, or do I have to do it by hands ? (not a big deal if not ^^)

1 Like

Hey, these are great news!
Nice to hear it is running now; about the export I’m afraid I can’t help - I know it is possible to export extractors as jason-Files, but have no idea about the rest.

Well, I found a way to export the whole configuration as a content pack. I’ll test importing that later today ^^

If you need the complete config, you can create a Database-Dump. (Also recommended before any GL upgrade.)

1 Like