TLS Connection not working

Graylog Central (peer support)
1

Hello All,

I want to enable TLS log collection at Graylog since my devices would be sending only TLS wrapped logs. My enterprise has a CA and I have already generated files, But I am struggling to configure them in /etc/graylog/server/server.conf

Can someone help me what parameters do I have to make changes ?

graylog-CA.pem
graylogCert.pem
graylog-Key.pem
graylog.pem

Config:

#### Enable HTTPS support for the HTTP interface
# This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping.
#
# Default: false
http_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
#http_tls_cert_file = /path/to/graylog.crt
http_tls_cert_file = /root/graylog/graylog.pem

# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
#http_tls_key_file = /path/to/graylog.key

http_tls_key_file = /root/graylog/graylog-Key.pem


# The password to unlock the private key used for securing the HTTP interface.
#http_tls_key_password = secret

http_tls_key_password = /root/graylog/graylog-CA.pem
4

what is the error you have?

5

Hi Jan,

When I make this config (I am not sure if these are correct or now)

http_enable_tls = true
http_tls_cert_file = /root/graylog/graylog.pem
http_tls_key_file = /root/graylog/graylog-Key.pem
http_tls_key_password = /root/graylog/graylog-CA.pem

From the logs after restarting the server

2020-04-07T14:56:18.320Z ERROR [CmdLineTool] Invalid configuration
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /root/graylog/graylog-Key.pem
	at org.graylog2.configuration.HttpConfiguration.validateTlsConfig(HttpConfiguration.java:252) ~[graylog.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_242]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_242]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_242]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_242]
	at com.github.joschi.jadconfig.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:53) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.invokeValidatorMethods(JadConfig.java:221) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:100) ~[graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:351) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.readConfiguration(CmdLineTool.java:344) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:178) [graylog.jar:?]
	at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
6

Don’t put cert, key files in /root, because graylog service run as graylog user, so it couldn’t read that file. Put it in /etc/graylog/server directory or better recommended directories of your linux distribution, for example:

Debian/Ubuntu: /etc/ssl/certs/, /etc/ssl/private/
RHEL/Centos: /etc/pki/tls/certs/, /etc/pki/tls/private/

7

Unreadable or missing HTTP private key: /root/graylog/graylog-Key.pem

Graylog can’t read the certificate.

8

I tried changing to other directory like home and subdirectory with all permission, but still it didnt work

9

Finally it worked, Since all my nodes send only syslog over TLS, I had to finally use input as “TCP” and check the box “TLS” and use those relative address of certs local to the server. It started collecting the info.

Thanks all.