TLS Connection not working

Graylog Central (peer support)
1

Hello All,

I want to enable TLS log collection at Graylog since my devices would be sending only TLS wrapped logs. My enterprise has a CA and I have already generated files, But I am struggling to configure them in /etc/graylog/server/server.conf

Can someone help me what parameters do I have to make changes ?

graylog-CA.pem
graylogCert.pem
graylog-Key.pem
graylog.pem

Config:

#### Enable HTTPS support for the HTTP interface
# This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping.
#
# Default: false
http_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
#http_tls_cert_file = /path/to/graylog.crt
http_tls_cert_file = /root/graylog/graylog.pem

# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
#http_tls_key_file = /path/to/graylog.key

http_tls_key_file = /root/graylog/graylog-Key.pem


# The password to unlock the private key used for securing the HTTP interface.
#http_tls_key_password = secret

http_tls_key_password = /root/graylog/graylog-CA.pem
4

what is the error you have?

5

Hi Jan,

When I make this config (I am not sure if these are correct or now)

http_enable_tls = true
http_tls_cert_file = /root/graylog/graylog.pem
http_tls_key_file = /root/graylog/graylog-Key.pem
http_tls_key_password = /root/graylog/graylog-CA.pem

From the logs after restarting the server

2020-04-07T14:56:18.320Z ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /root/graylog/graylog-Key.pem
	at org.graylog2.configuration.HttpConfiguration.validateTlsConfig(HttpConfiguration.java:252) ~[graylog.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_242]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_242]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_242]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_242]
	at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:100) ~[graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:351) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.readConfiguration(CmdLineTool.java:344) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:178) [graylog.jar:?]
	at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
6

Don’t put cert, key files in /root, because graylog service run as graylog user, so it couldn’t read that file. Put it in /etc/graylog/server directory or better recommended directories of your linux distribution, for example:

Debian/Ubuntu: /etc/ssl/certs/, /etc/ssl/private/
RHEL/Centos: /etc/pki/tls/certs/, /etc/pki/tls/private/

7

Unreadable or missing HTTP private key: /root/graylog/graylog-Key.pem

Graylog can’t read the certificate.

8

I tried changing to other directory like home and subdirectory with all permission, but still it didnt work

9

Finally it worked, Since all my nodes send only syslog over TLS, I had to finally use input as “TCP” and check the box “TLS” and use those relative address of certs local to the server. It started collecting the info.

Thanks all.

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.