Unable to get access to the OpenSearch Backend via client certification

Graylog Central (peer support)
,
1

Hi,

I use the Graylog-Server and the Graylog Data-Node inside a Docker environment. To get direct access to the OpenSearch Backend with CURL I have to use a client certification for authentification. The OpenSearch listen on localhost:9200. To generate a client certification I use the " Client Certificate" option, which is offered by the Graylog WebGUI. I use the following parameters:

  • principal: localhost
  • role: all_access
  • password:

I store the CA, the certification and the private key in different files. Inside the docker image of the Graylog Datanode I install the CURL tool and use it for the query in this way…
#> curl -v -s https://localhost:9200/_cluster/health --cert /etc/graylog/certs/client.crt --key /etc/graylog/certs/private.key --cacert /etc/graylog/certs/CA.crt

I got this response from OpenSearch Backend:

  • Trying 127.0.0.1:9200…
  • Connected to localhost (127.0.0.1) port 9200 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/graylog/certs/CA.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Request CERT (13):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.2 (OUT), TLS header, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, CERT verify (15):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: CN=graylog-datanode
  • start date: Aug 21 12:39:42 2024 GMT
  • expire date: Sep 20 12:39:42 2024 GMT
  • subjectAltName: host “localhost” matched cert’s “localhost”
  • issuer: CN=Graylog CA
  • SSL certificate verify ok.
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

GET /_cluster/health HTTP/1.1
Host: localhost:9200
User-Agent: curl/7.81.0
Accept: /

  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • Mark bundle as not supporting multiuse
    < HTTP/1.1 401 Unauthorized
    < content-type: text/plain; charset=UTF-8
    < content-length: 29
    <
  • Connection #0 to host localhost left intact

The backend responds with “401 Unauthorized” and in the docker logs I can see this entry:
…[graylog-datanode] Authentication finally failed for null from 127.0.0.1:45498

Here my Docker Compose content for the Graylog Datanode:
datanode:

  • image: “${DATANODE_IMAGE:-graylog/graylog-datanode:6.0}”*
  • container_name: “graylog-datanode”*
  • hostname: “graylog-datanode” # michael.baeumker@nordfrost.de Do NOT change hostname, because of internal used SSL certifications between server and datanode*
  • environment:*
  •  GRAYLOG_DATANODE_NODE_ID_FILE: "/var/lib/graylog-datanode/node-id"*

  •  GRAYLOG_DATANODE_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}"*

  •  GRAYLOG_DATANODE_ROOT_USERNAME: "admin"*

  •  GRAYLOG_DATANODE_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}"*

  •  GRAYLOG_DATANODE_MONGODB_URI: "mongodb://mongodb:27017/graylog"*

  •  GRAYLOG_DATANODE_OPENSEARCH_CONFIG_LOCATION: "/etc/opensearch"*

  •  # GDN_JVM_OPTIONS_FILE: "/etc/graylog/datanode/outbox/jvm.options"*
  • ulimits:*
  •  memlock:*

  •    hard: -1*

  •    soft: -1*

  •  nofile:*

  •    soft: 65536*

  •    hard: 65536*
  • ports:*
  •  - "8999:8999/tcp"   # DataNode API*

  •  - "9200:9200/tcp"*

  •  - "9300:9300/tcp"*
  • volumes:*
  •  - "/srv/data/graylog_graylog-datanode:/var/lib/graylog-datanode"*

  •  - "/etc/graylog/opensearch:/etc/opensearch"*

  •  - "/etc/graylog/certs:/etc/graylog/certs"*
  • restart: “on-failure”*
  • extra_hosts:*
  •  - "graylog-datanode-ingress:192.168.10.1"*
  • networks:*
  •  - "graylog-net"*

What am I doing wrong ?

2

I use Graylog 6.0.6 for the server and the data-node.

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.