TLS Client Authentication: "No certificate data found"

Getting the following error when client (Metricbeat) attempts to connect to Graylog (2.4.3+2c41897):
"
2019-02-28T15:50:21.734Z WARN [AbstractNioSelector] Failed to initialize an accepted socket.
java.security.cert.CertificateException: No certificate data found
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:456) ~[?:1.8.0_151]
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356) ~[?:1.8.0_151]
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_151]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:91) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:103) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.initTrustStore(KeyUtil.java:73) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:199) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:186) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:182) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:110) ~[graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_151]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
"

We’ve had TLS mutual authentication working for the last year now. Our server and client certificate expired so we generated new certificate. Server authentication works fine, but we get the above error when we enable client/mutual authentication. We’re using create_ssl_certs.sh from https://github.com/jalogisch/bartwickelmaschine/blob/master/create_self_signed_ssl_certs/create_ssl_certs.sh to create our certificates. Please advise.

Thanks,

Tom

did you have that specific certificate also used in the beats input configuration?

Yes, we installed the server certificate on the clients and the client certificates in a directory on the server which is specified in the Inputs configuration. We generated a new server certificate and new client certificates.

FYI, server authentication works. It’s mutual authentication which is broken.

Thanks for responding Jan,

Tom

That happened to me as well, is the certificate or the key in PKCS8 format by any chance? If it is, convert it back to regular PEM and it should start working.

Thanks for your response Ben. The key is in PKCS5 as is the certificate.

Tom

Try using a regular PEM certificate, it may fix your issue :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.