Ok, I finally managed to get TLS encryption working on the web interface while still being able to start my inputs. Next up is figuring out how to actually get a client to send TLS encrypted syslog input to Graylog.
These are the steps I followed to get things working on my Debian 10 box (thanks to user @dickinsonzach who post this solution: After SSL - Hostname not verified - #12 by dickinsonzach):
Start out by changing directory into /etc/graylog/server
Then do:
sudo vi openssl-graylog.cnf
Insert the following:
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = input countrycode
L = input city
O = input organisation name
OU = insert department name
CN = insert graylog FQDN (i.e. graylog.yourdomain.com)
[v3_req]
keyUsage = keyEncipherment, dataEncipherment, nonRepudiation, digitalSignature
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = insert IP-address of graylog server
DNS.1 = insert graylog FQDN
Save & exit VI.
Now create a certificate using the config we just set up:
sudo openssl req -x509 -days 1095 -nodes -newkey rsa:4096 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
Convert the pkcs5 file into pkcs8 format:
sudo openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
Create an encrypted version of the pkcs8 certificate file:
sudo openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:*insert a cert passphrase*
Import the cert.pem created initially, into the keystore:
sudo keytool -importcert -keystore /etc/ssl/certs/java/cacerts -storepass changeit -alias *insert graylog FQDN* -file cert.pem
Give the graylog user ownership of all the certs:
sudo chown -R graylog:graylog /etc/graylog/
Edit the graylog server config to enable TLS encryption:
sudo vi /etc/graylog/server/server.conf
In section “HTTPS settings”, make changes like so:
http_enable_tls = true
http_tls_cert_file = /etc/graylog/cert.pem
http_tls_key_file = /etc/graylog/pkcs8-encrypted.pem
http_tls_key_password = [insert cert passphrase]
Finally, do:
systemctl restart graylog-server.service
And test that Graylog web interface can now be accessed over https - https://insert graylog FQDN:9000/
Also check that the inputs are still working/running.