Unable to get https on graylog to work


(Greg Smith) #1

Hello all,
Sorry for all the information. Tried to show all the Info available, along with what I tried to resolve this problem.
What I’m doing is testing how to configure Graylog to use https before I execute it to our production environment.
I create a single Graylog2 server on CentOS 7 minimal install. Two CPU, 4 Gigs Memory and 120 Gig HDD. I have disabled Selinux and cleared the firewall.

Using the following install instructions;
http://docs.graylog.org/en/2.2/pages/installation/os/centos.html

After logging in from the web interface, making sure the server was functioning. I proceeded to follow these instructions;
http://docs.graylog.org/en/2.2/pages/configuration/https.html

After restarting Graylog server I execute the following checks;

Checked my Elasticsearch;
Root # curl -XGET ‘http://xxx.xxx.xxx.xxx:9200/_cluster/health?pretty=true
{
“cluster_name” : “graylog”,
“status” : “green”,
“timed_out” : false,
“number_of_nodes” : 2,
“number_of_data_nodes” : 1,
“active_primary_shards” : 4,
“active_shards” : 4,
“relocating_shards” : 0,
“initializing_shards” : 0,
“unassigned_shards” : 0,
“delayed_unassigned_shards” : 0,
“number_of_pending_tasks” : 0,
“number_of_in_flight_fetch” : 0,
“task_max_waiting_in_queue_millis” : 0,
“active_shards_percent_as_number” : 100.0

Check the status of Graylog Server
[root@localhost server]# systemctl status graylog-server
● graylog-server.service - Graylog server
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-06-02 20:09:28 CDT; 14min ago
Docs: http://docs.graylog.org/
Main PID: 4320 (graylog-server)
CGroup: /system.slice/graylog-server.service
├─4320 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─4321 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnload…
Jun 02 20:09:28 localhost.localdomain systemd[1]: Started Graylog server.
Jun 02 20:09:28 localhost.localdomain systemd[1]: Starting Graylog server…

Check the status of Mongodb
[root@localhost server]# systemctl status mongod
● mongod.service - High-performance, schema-free document-oriented database
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-06-02 19:28:10 CDT; 57min ago
Docs: https://docs.mongodb.org/manual
Process: 809 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
Process: 805 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
Process: 798 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
Main PID: 1962 (mongod)
CGroup: /system.slice/mongod.service
└─1962 /usr/bin/mongod --quiet -f /etc/mongod.conf run
Jun 02 19:28:10 localhost.localdomain systemd[1]: Starting High-performance, schema-free document-oriented database…
Jun 02 19:28:10 localhost.localdomain systemd[1]: Started High-performance, schema-free document-oriented database.
Jun 02 19:28:12 localhost.localdomain mongod[815]: about to fork child process, waiting until server is ready for connections.
Jun 02 19:28:12 localhost.localdomain mongod[815]: forked process: 1962
Jun 02 19:28:14 localhost.localdomain mongod[815]: child process started successfully, parent exiting

Check the status of Elasticsearch
[root@localhost server]# systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-06-02 19:28:10 CDT; 58min ago
Docs: http://www.elastic.co
Process: 804 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
Main PID: 812 (java)
CGroup: /system.slice/elasticsearch.service
└─812 /bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseC…

Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
Jun 02 20:10:38 localhost.localdomain elasticsearch[812]: at java.lang.Thread.run(Thread.java:748)

No problems in the log file/s after Service restart.
Using Chrome I tried to login executing following URL https://graylog-server:9000/
I received the following ERROR;

This site can’t be reached
unexpectedly closed the connection.
Try:
Checking the connection
Checking the proxy and the firewall
Running Windows Network Diagnostics
ERR_CONNECTION_CLOSED

My Server configuration file as follow;
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = FxwOFsKdr3D2fDEmFRqqbgn1vCwuMB6pf21EWD3KGJ8PUFhJKV0oYLrE1LyINLsOhQB7DhkUDDMNtAwHLsoCoRWfXVW8YA0S
root_password_sha2 = 89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = https://graylog-server:9000/api/
rest_transport_uri = http://graylog-server:9000/api/
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/cert/graylog-certificate.pem
rest_tls_key_file = /etc/graylog/server/cert/graylog-key.pem
rest_tls_key_password = secret
web_listen_uri = https://graylog-server:9000/
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/cert/graylog-certificate.pem
web_tls_key_file = /etc/graylog/server/cert/graylog-key.pem
web_tls_key_password = secret
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_discovery_zen_ping_unicast_hosts = graylog-server:9300
elasticsearch_network_host = 10.200.6.49
elasticsearch_analyzer = standard
outputbuffer_processors.
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb://grayloguser:secret@localhost:27017/graylog
mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

Trying to resolve this error,I have looked at the following resources;




It seems everything is running right on the server, but unable to connect through the web interface, any help would be appreciated, Thanks again


(Greg Smith) #2

Found something interesting, unsure if this might be the problem;
[root@localhost elasticsearch]# curl https://graylog-server:9000
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
[root@localhost elasticsearch]#


(Greg Smith) #3

I fixed my certification problem. Went back to http://docs.graylog.org/en/2.2/pages/configuration/https.html and finished the section called "Adding a self-signed certificate to the JVM trust store "
I executed the following command again:

[root@localhost ~]# curl https://graylog-server:9000/
curl: (7) Failed connect to graylog-server:9000; Connection refused

Think I’m getting closer, not sure yet.


(Jan Doberstein) #4

hej @gsmith

please format your config/logs as code block with:

```
TEXT
```

currently this is not readable.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.