Unreadable or missing HTTP X.509 certificate

I’m trying to enable TLS for Graylog but Graylog keeps rejecting my certificate I made with my CA, the log file keeps outputting:
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP X.509 certificate: /etc/graylog/server/certificates/my-cert.pem

The certificate was generated by OpenSSL on my CA as a server certificate. It’s a PEM file with the following format/contents:
~ Cert Data ~

I can’t figure out why Graylog either thinks this certificate is invalid or if it cannot open the file for some reason.


Have you read the relevant sections around this in the docs?


Yes, I followed the instructions there and ensured my private key is PKCS#8 as well.

I would check the permissions on:

  • /etc/graylog/server/certificates/
  • /etc/graylog/server/certificates/my-cert.pem

Ensure that the graylog user has read/execute permissions on the certificates directory and has read permissions on the my-cert.pem file.

Gave the folder and the cert read permissions and it’s still throwing the same error. :confused:

I wish I could know more information on why it’s saying it’s invalid…

Interestingly I don’t see that error anymore but I see this in the log:

com.mongodb.DuplicateKeyException: Write failed with error code 11000 and error message ‘E11000 duplicate key error collection: graylog.index_field_types index: index_name_1 dup key: { index_name: “graylog_0” }’

It’s right after that that Graylog starts shutting down due to the exception. I’m not sure why enable_tls is causing this, though.

Also, at the end of the Graylog document online "Using HTTPS’, at the end:

Without adding the previously created Java keystore to the JVM parameters, Graylog won’t be able to verify any self-signed certificates or custom CA certificates.

Do I have to do this as well if I’m not self signing, but actually using my own CA? Do I have to do something else other than just adding the cert and private key to the config?

You are using your own CA so, yes. You do. Your CA is not trusted in the default keystore.

The Mongodb error is a separate issue.

I installed my CA as a trusted CA in Ubuntu, system wide right? Or do I need to add it into the Java keystore?

sudo dpkg-reconfigure ca-certificates

They are two different things.
You must perform the steps outlined in the documentation for the Java Keystore.

I’m lost. I tried following the steps to make a “copy” of the trust core, but “$JAVA_HOME/jre/lib/security/cacerts” doesn’t exist. I poked around and I found that my Java installation isn’t even in /usr/bin/java", so I don’t understand how graylog is even running if it’s config file for JVM at “/etc/default/graylog-server” and that file points to “/usr/bin/java” for the Java executable…

So what I did is I added my CA and my cert I issued for graylog into Java’s truststore at the installation I found, which is at “usr/lib/jvm/java-1.8.0-openjdk-amd64/jre”. And I noticed you have to add the “-Djavax.net.ssl.trustStore=/path/to/cacerts.jk” parameter for JVM for Graylog to look for the trust store, but again, it’s like it’s not even using the JVM config file at “/etc/default/graylog-server” like their documentation says it should. Idk where else to put the parameter.

I thought that whole Java thing was for if you wanted the self-signed cert solution. Like anything else, I didn’t think I’d have to trust my CA, and all I had to do was give the certificate to Graylog for it to use.

If you or anybody’s curious, this is the error I’m getting when trying to start Graylog with https enabled:

2020-03-12T15:38:43.343-04:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:161) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_242]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_242]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_242]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_242]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_242]
at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:347) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:172) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:146) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_242]

I guess you have MongoDB 4.2 running?

enable the compatibility mode for 4.0 in that MongoDb Version that you can run Graylog with this version.

I’ll go ahead and try that. What’s weird is Graylog works like it is if I have HTTPS disabled, but when I enable it it keeps crashing.

4.0 compatibility didn’t fix it, same error. This is an HTTPS issue as there’s x509, algorithm, etc in the errors.

I can’t figure out what it is though… my certificate is fine.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.