Unable to start any input after setting up web interface as SSL

Hi Guys,

We are unable to start any inputs after setting up graylog webinterface as SSL/TLS and it gives error. Has anyone faced similar error? If I disable those SSL settings it starts perfectly.

Here are the logs -

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am using self-signed certificate. Is that creating an issue?

Hi!

Yeah, seems like java complains about not having a certificate for the web interface’s adress. You just need to add it to a java keystore. In nutshell the process is like this:

  1. cp -a /etc/pki/ca-trust/extracted/java/cacerts /path/ks.jks
  2. keytool -importcert -keystore ks.jks -alias graylog -file graylog.pem -storepass changeit

.pem format is mandatory.

  1. vi /etc/sysconfig/graylog-server

#Default Java options forheap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/path/ks.jks"

  1. systemctl restart graylog-server

The relevant docs: https://docs.graylog.org/en/3.0/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store

Okies - Thanks let me quickly do that and come back to you. By the way after enabling HTTPS does input also need encryption? logs coming from Endpoints needs SSL cert as well?

It depends. Input has its own settings, that aren’t related to the web-interface.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.