TLS on Graylog 3.1

I’m trying to enable the TLS on Graylog 3.1 dockerized (MongoDB and Elasticsearch also lives in containers, docs ), so I followed the next steps (I read the docs ).

  • openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
  • openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
  • openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

After that I copied the .pem files to my graylog container, After this, I added te certs to the java keystore:

  • keytool -importcert -keystore /usr/share/graylog/certs/ -storepass secret -alias graylog-self-signed -file cert.pem

and in the container I edited the .conf file enabling the https and editing the http_publish_uri adding the s to the http:

# Enable HTTPS support for the HTTP interface.
# This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping.
http_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
http_tls_cert_file = /path/to/graylog-certificate.pem

# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
http_tls_key_file = /path/to/graylog-key.pem

# The password to unlock the private key used for securing the HTTP interface. (if key is encrypted)
http_tls_key_password = secret

Finally I restart the container to perform the changes, Graylog seems to be ok but in the browser it is no appearing the https and I’m reciving this message in the docker logs

WARN : - Unable to call on node <978f7e2e-316c-4799-884a-7d4ad3720347>: connect timed out

This containers lives in a remote server, I exposed the Graylog with some DNS using a Nginx, I think that my problem has to be with this but I’m no realizing how to expose with the https.

Is the nginx unnecesary? or How should I configure the Nginx in order to expose the graylog as https?
I also understand that the log refers to my communication between graylog and elasticsearch but not knowing how to solve it.

Have you configured http_publish_uri = https://$http_bind_address/ ? (https and not hhtp)

Not sure on that command…
/usr/share/graylog/certs/ does not look like the path to a file.

You will also need to specify the keystore file Java should use with the flag

This post may give you some more information:

About the .jks file, Have some doubts about how my .pem file would be converted to this format, I’m pretty newbie at this.

Also found my error, didn’t uncomment the line:

http_enable_tls = true

Well that explains a lot, but a new error appear in the docker logs:

com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP private key: /usr/share/graylog/certs/pkcs8-encrypted.pem

and the command namei -l path/to/pk8s.key shows:

f: certs/pkcs8-encrypted.pem
drwxrwxrwx graylog graylog certs
-rwxrwxrwx graylog graylog pkcs8-encrypted.pem

Therei s a bug using encrypted files right now that I have found. Try starting it with the plain pk8s file.

Thanks, this was the solution, now I’m facing why my main pages is blank, I added the cert to the java truestore and I’m not having “bad” logs at start, apparently all to seem ok.

2020-03-17 15:57:41,716 INFO : org.graylog2.shared.initializers.JerseyService - Enabling CORS for HTTP endpoint
2020-03-17 15:58:10,747 INFO : org.glassfish.grizzly.http.server.NetworkListener - Started listener bound to []
2020-03-17 15:58:10,749 INFO : org.glassfish.grizzly.http.server.HttpServer - [HttpServer] Started.
2020-03-17 15:58:10,749 INFO : org.graylog2.shared.initializers.JerseyService - Started REST API at <>
2020-03-17 15:58:10,750 INFO : org.graylog2.shared.initializers.ServiceManagerListener - Services are healthy
2020-03-17 15:58:10,751 INFO : org.graylog2.shared.initializers.InputSetupService - Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2020-03-17 15:58:10,751 INFO : org.graylog2.bootstrap.ServerBootstrap - Services started, startup times in ms: {InputSetupService [RUNNING]=5, GracefulShutdownService [RUNNING]=8, BufferSynchronizerService [RUNNING]=20, KafkaJournal [RUNNING]=23, OutputSetupService [RUNNING]=26, EtagService [RUNNING]=52, JobSchedulerService [RUNNING]=53, ConfigurationEtagService [RUNNING]=58, UrlWhitelistService [RUNNING]=63, JournalReader [RUNNING]=66, MongoDBProcessingStatusRecorderService [RUNNING]=100, LookupTableService [RUNNING]=111, StreamCacheService [RUNNING]=119, PeriodicalsService [RUNNING]=170, JerseyService [RUNNING]=29833}
2020-03-17 15:58:10,758 INFO : org.graylog2.bootstrap.ServerBootstrap - Graylog server up and running.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.