Trying to enable SSL

I mostly followed these instructions to create to configure SSL: http://www.hospitableit.com/howto/setting-up-a-centralised-log-server-using-graylog-on-ubuntu-16-04-lts-part-two/

  • openssl genrsa -aes128 -out graylog.key 4096
  • openssl req -sha256 -key graylog.key -new -out graylog.csr -config graylog.cnf
  • openssl pkcs8 -in graylog.key -topk8 -out graylogPKCS8.key
  • keytool -import -trustcacerts -file /etc/ssl/certs/graylog.crt -alias ComodoCA -keystore /etc/graylog/cacerts.jks
  • keytool -list -v -keystore /etc/graylog/cacerts.jks

Graylog isn’t starting and I’m getting this error. Seems like I have all the files in place. Any advice?

2020-02-18T09:07:45.713-05:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
	at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
	at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
	at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
	at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:148) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
	at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
	Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
	Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
		at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:257) ~[?:1.8.0_242]
		at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_242]
		at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_242]
		at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_242]
		at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_242]
		at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[?:1.8.0_242]
		at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_242]
		at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_242]
		at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
		at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
		at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:347) ~[graylog.jar:?]
		at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:172) ~[graylog.jar:?]
		at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:146) ~[graylog.jar:?]
		at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
		at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
		at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_242]
2020-02-18T09:07:45.715-05:00 INFO  [Server] SIGNAL received. Shutting down.
2020-02-18T09:07:45.719-05:00 INFO  [GracefulShutdown] Graceful shutdown initiated.
2020-02-18T09:07:45.719-05:00 INFO  [GracefulShutdown] Node status: [Halting [LB:DEAD]]. Waiting <3sec> for possible load balancers to recognize state change.
2020-02-18T09:07:49.721-05:00 INFO  [GracefulShutdown] Goodbye.

he @atrof

and how did you configured http_* parameters in Graylog?

Hi,

root@graylog:~# cat /etc/graylog/server/server.conf | grep http
# as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix.
# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
#http_bind_address = 127.0.0.1:9000
#http_bind_address = [2001:db8::1]:9000
http_bind_address = 172.17.1.5:9000
# This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address,
# If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used.
# Default: http://$http_bind_address/
#http_publish_uri = http://192.168.1.1:9000/
http_publish_uri = https://graylog.domainname_here.com:9000/
# and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
# Default: $http_publish_uri
#http_external_uri =
http_external_url = https://graylog.domainname_here.com:9000/
#http_enable_cors = false
#http_enable_gzip = false
#http_max_header_size = 8192
#http_thread_pool_size = 16
#http_enable_tls = true
http_enable_tls = true
#http_tls_cert_file = /path/to/graylog.crt
http_tls_cert_file = /etc/ssl/certs/graylog.crt
#http_tls_key_file = /path/to/graylog.key
http_tls_key_file = /etc/graylog/graylog-web8.key
http_tls_key_password = secret_here

did you made the suggested changes to the Graylog Startup script like written in the howto?

Sorry, not sure what you’re referring to. The JVM settings in the documentation, or the JAVA_OPTS in the tutorial above, or something else? Thanks.

I refer to the tutorial you have used …

I ran one more conversion on the pkcs8 key. I noticed it was encrypted, so I made it unencrypted with this command and that worked:
openssl pkcs8 -in graylogPKCS8.key -topk8 -nocrypt -out pkcs8-plain.pem

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.