Unable to implement HTTPS in docker Graylog 6.1.1

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
After following the steps outlined here to create a self-signed cert:
Setting Up Graylog HTTPS

I’m unable to start any inputs due to the IP address not being verified in the cert. The main issue to me appears to be that the docker container changes that IP every restart, so I’m unable to know which IP to place in the SAN field.

WARN : org.graylog2.shared.rest.resources.ProxiedResource - Failed to call API on node <7f8024d2-680f-4c69-88b1-b51abb2c4484>, cause: Hostname 10.89.0.150 not verified:

2. Describe your environment:

  • OS Information: Redhat 9.4

  • Package Version: Graylog 6.1.1

  • Service logs, configurations, and environment variables:
    My docker-comose.yml:

networks:
  graynet:
    driver: bridge

volumes:
  mongo_data:
    driver: local
  log_data:
    driver: local
  graylog_data:
    driver: local
  graylog_journal:
    driver: local

services:
  mongo:
    image: docker.io/mongo:6.0.14-jammy
    container_name: mongodb
    volumes:
      - "${PWD}/data/mongodb/mongo_data:/data/db:z"
    networks:
      - graynet
    restart: unless-stopped


  opensearch:
    image: opensearchproject/opensearch:2.15.0
    container_name: opensearch
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
      - "discovery.type=single-node"
      - "action.auto_create_index=false"
      - "plugins.security.ssl.http.enabled=false"
      - "plugins.security.disabled=true"
      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=353984727881"
    volumes:
      - "log_data:/usr/share/opensearch/data:z"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    ports:
      - 9200:9200/tcp
    networks:
      - graynet
    restart: unless-stopped

  graylog:
    image: graylog/graylog:6.1
    container_name: graylog
    environment:
         GRAYLOG_PASSWORD_SECRET: "pUj0XLCi2gk74lh3QE6KNIC8eMdiVgiD7UWJBKsWH4LDqUteuO42a0XmuW3RoLrQo5SheDUlGs8VX8GdwZbwkgnhh5xo8J3k"
      # Password: admin
      GRAYLOG_ROOT_PASSWORD_SHA2: "c775e7b757ede264cd0aa1113bd102661ab38829ca52a6422ab782862f268646"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_PUBLISH_URI: "https://graylog.test.com:9000/"
      GRAYLOG_HTTP_ENABLE_TLS: "true"
      GRAYLOG_HTTP_TLS_CERT_FILE: "/opt/graylog/tls/cert.pem"
      GRAYLOG_HTTP_TLS_KEY_FILE: "/opt/graylog/tls/pkcs8-plain.pem"
      GRAYLOG_SERVER_JAVA_OPTS: "-Xms8g -Xmx8g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/opt/graylog/tls/graylog.jks"
      GRAYLOG_TLS_KEY_PASSWORD: "changeit"
      GRAYLOG_ELASTICSEARCH_HOSTS: "http://opensearch:9200"
      GRAYLOG_MESSAGE_JOURNAL_MAX_SIZE: "10gb"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      GRAYLOG_ROOT_TIMEZONE: "America/New_York"
      GRAYLOG_TIMEZONE: "America/New_York"
      TZ: "America/New_York"

    entrypoint: /usr/bin/tini -- wait-for-it opensearch:9200 -- /docker-entrypoint.sh
    volumes:
      - "${PWD}/config/graylog/graylog.conf:/usr/share/graylog/config/graylog.conf:z"
      - "${PWD}/config/tls:/opt/graylog/tls:z"
      - "${PWD}/data/graylog/graylog_data:/usr/share/graylog/data/data:z"
      - "${PWD}/data/graylog/graylog_journal:/usr/share/graylog/data/journal:z"
    networks:
      - graynet
    restart: always
    depends_on:
      opensearch:
        condition: "service_started"
      mongo:
        condition: "service_started"
    ports:
      - 9000:9000/tcp   # Graylog web interface and REST API
      - 1514:1514/tcp   # Syslog
      - 1514:1514/udp   # Syslog
      - 5555:5555/tcp   # RAW
      - 5555:5555/udp   # RAW
      - 12201:12201/tcp # GELF
      - 12201:12201/udp # GELF

3. What steps have you already taken to try and solve the problem?
I’ve attempted to add the whole range of IP’s to the SAN IP field, but I feel like this isn’t the best way to handle this.

4. How can the community help?

Does anyone have any ideas on what my problem might be?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hey @friedpo,

I believe it is the case that containers can reference each other by name assuming they are within the same defined network. Could you not add the container name as a SAN to the cert and use that as the GRAYLOG_PUBLISH_URI, this will persist between restarts.

3

Thank you for your reply @Wine_Merchant.

I tried putting the container name as the SAN and changing the GRAYLOG_PUBLISH_URI as the container name, but I’m still receiving the same error when starting graylog.

Here’s my openssl.conf I’m using to generate the cert.

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

# Details about the issuer of the certificate
[req_distinguished_name]
C = US
ST = CA
L = Lake
O = Hosty
OU = IT
CN = graylog.hosty.com

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
DNS.1 = graylog

I added:

GRAYLOG_PUBLISH_URI: "https://graylog:9000/"

I’m still receiving this error on startup.

2024-11-08 08:46:22,181 WARN : org.graylog2.shared.rest.resources.ProxiedResource - Failed to call API on node <acd5b7c2-757e-45e4-965f-76d51fb0bd45>, cause: Hostname 10.89.0.52 not verified:
    certificate: sha256/PoJVXXJAZ/gFpDWySQwDvYgUxi9S8UnuEHoO/Dpcn9E=
    DN: CN=graylog.hosty.com, OU=IT, O=Hosty, L=Lake, ST=CA, C=US
    subjectAltNames: [graylog] (duration: 6 ms)
4

Thanks for sharing the steps you’ve taken, I should have mentioned first that any certs created for your Graylog nodes should also be added to the Java key store. Is this being done?

5

Yes. I copied the cacerts Java key store to a new location at /opt/graylog/tls/graylog.jks and added the cert to it there. I then put in the JAVA_OPTS value -Djavax.net.ssl.trustStore=/opt/graylog/tls/graylog.jks to make it available. It seems like it sees the cert, but it doesn’t appear to be enough to have the graylog container name in it as a SAN.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.