Unable to start graphical interface after enabled TLS in Graylog 3.0

Hi Guys,

Need your advice on a issue that I am struggling with since 2 days ago…

I have installed Graylog 3.0 - all good, no any issues while accessing via http.
I have enabled TLS and added certificate and private key then the GUI doesn’t open anymore (it connects to graylog server and I get a blank page, looks like not loading the interface) but the certificate is recognized by the browser as valid.

The steps I did:

  • installed certificate/private key - I do not get any error on them, they matches and are valid
  • installed certificate in the java keystore
  • no errors is the graylog log - all processes are running (also elasticsearch/mongo db runs fine)
  • checked and confirmed that all prerequisites are met (java version etc)

Does anybody has any idea how to troubleshoot this behavior?
Am I missing anything? From graylog documentation there are not too many settings I need to change:
http://docs.graylog.org/en/3.0/pages/configuration/https.html

Don’t have any idea where to look for an issue.

Any suggestion would be highly appreciated.

Thanks,
Coriolan

did you add the java keystore to your Graylog startup parameters?

Thanks for suggestion,
Initially I didn’t, after I read your suggestion I created a separate keystore by copying java keystore then I added the following option to startup script
-Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks

This keystore has the PEM certificate imported (I checked).

The bad part is I still the same issue, certificate appears as being valid in browser but only the page title is loading, nothing else…it simply displays the page title “Graylog Web Interface” in the bar then it dies…

Regards,
Coriolan

what is in the Graylog server.log? That will give you (and us) some idea what might be wrong …

It appear to be normal, nothing unusual, except some errors not sure if they related to interface

2019-03-20T14:25:05.949+01:00 ERROR [LookupDataAdapter] Couldn’t start data adapter

2019-03-20T14:25:06.554+01:00 INFO [JerseyService] Enabling CORS for HTTP endpoint
2019-03-20T14:25:28.433+01:00 INFO [NetworkListener] Started listener bound to [10.10.10.10:9000]
2019-03-20T14:25:28.435+01:00 INFO [HttpServer] [HttpServer] Started.
2019-03-20T14:25:28.435+01:00 INFO [JerseyService] Started REST API at <10.10.10.10:9000>
2019-03-20T14:25:28.435+01:00 INFO [ServiceManagerListener] Services are healthy
2019-03-20T14:25:28.437+01:00 INFO [ServerBootstrap] Services started, startup times in ms: {OutputSetupService [RUNNING]=48, KafkaJournal [RUNNING]=186, BufferSynchronizerService [RUNNING]=196, JournalReader [RUNNING]=264, InputSetupService [RUNNING]=266, ConfigurationEtagService [RUNNING]=272, EtagService [RUNNING]=307, StreamCacheService [RUNNING]=519, PeriodicalsService [RUNNING]=527, LookupTableService [RUNNING]=732, JerseyService [RUNNING]=22994}
2019-03-20T14:25:28.439+01:00 INFO [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2019-03-20T14:25:28.447+01:00 INFO [ServerBootstrap] Graylog server up and running.
2019-03-20T14:25:28.539+01:00 INFO [InputStateListener] Input [Syslog UDP/5b573c8c2b50d80f20a5ddad] is now STARTING
2019-03-20T14:25:28.547+01:00 INFO [InputStateListener] Input [Syslog TCP/5b573daf2b50d80f20a5def5] is now STARTING
2019-03-20T14:25:28.650+01:00 WARN [Bootstrap] Unknown channel option ‘io.netty.channel.unix.UnixChannelOption#SO_REUSEPORT’ for channel ‘[id: 0x08239558]’
2019-03-20T14:25:28.651+01:00 WARN [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogTCPInput{title=TCP_Input, type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=null} (channel [id: 0x6b335079, L:/0.0.0.0:1115]) should be 1048576 but is 212992.
2019-03-20T14:25:28.652+01:00 INFO [InputStateListener] Input [Syslog TCP/5b573daf2b50d80f20a5def5] is now RUNNING
2019-03-20T14:25:28.809+01:00 INFO [InputStateListener] Input [Syslog UDP/5b573c8c2b50d80f20a5ddad] is now RUNNING

that snippets reveals nothing …

so what is does the http_* variables hold in your server.conf?

It looks like this:
http_bind_address = 10.10.10.10:9000
http_publish_uri = http://10.10.10.10:9000/
http_enable_cors = true
http_enable_gzip = true
http_max_header_size = 8192
http_thread_pool_size = 16
http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/cert.pem
http_tls_key_file = /etc/graylog/server/key.pem

The keystore is configures so that graylog can use it (the certificate was added in the key store).:
GRAYLOG_COMMAND_WRAPPER {JAVA:=/usr/bin/java} GRAYLOG_SERVER_JAVA_OPTS \ -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml \ -Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks \ -Djava.library.path=/usr/share/graylog-server/lib/sigar \ -Dgraylog2.installation_source={GRAYLOG_INSTALLATION_SOURCE:=unknown}
/usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np
$GRAYLOG_SERVER_ARGS

Unfortunately still no luck…I created different self signed certificate and it does the same… I think it may be related to java as even I remove the certificates from keystore it doesn’t change the behavior.

I am still digging into it, hope will be able to catch the reason of why it hangs.

does the certificate contain that IP? ( 10.10.10.10 ) Because JAVA is picky about what is inside of the certificate.

The certificate is bound to some fqdn… I am going to setup apache in front of graylog to test same certificate, just to make sure this part is okay, will let you know the result

thanks,
Coriolan

The certificate is bound to some fqdn

If the cert does not include the IP you have configured in Graylog (or the Endpoint you have configured by hostname) this will not work.

You are correct, that was the issue, I was able to isolate it yesterday evening, the certificate was bound to fqdn (which was a cname record to server hostname fqdn in DNS) and once I replaced the IP with fqdn in the graylog configuration file it started to work with no issues

Thank you for your suggestions, highly appreciated. :slight_smile:

Best regards,
Coriolan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.