Unreadable or missing HTTP X.509 certificate

Setherz6104 · March 12, 2020, 3:42pm

I’m trying to enable TLS for Graylog but Graylog keeps rejecting my certificate I made with my CA, the log file keeps outputting:
com.github.joschi.jadconfig.ValidationException: Unreadable or missing HTTP X.509 certificate: /etc/graylog/server/certificates/my-cert.pem

The certificate was generated by OpenSSL on my CA as a server certificate. It’s a PEM file with the following format/contents:
-----BEGIN CERTIFICATE-----
~ Cert Data ~
-----END CERTIFICATE-----

I can’t figure out why Graylog either thinks this certificate is invalid or if it cannot open the file for some reason.

Thoughts?

Ponet · March 12, 2020, 3:48pm

Have you read the relevant sections around this in the docs?

https://docs.graylog.org/en/3.2/pages/configuration/https.html

Setherz6104 · March 12, 2020, 4:04pm

Yes, I followed the instructions there and ensured my private key is PKCS#8 as well.

Ponet · March 12, 2020, 4:20pm

I would check the permissions on:

/etc/graylog/server/certificates/
/etc/graylog/server/certificates/my-cert.pem

Ensure that the graylog user has read/execute permissions on the certificates directory and has read permissions on the my-cert.pem file.

Setherz6104 · March 12, 2020, 4:41pm

Gave the folder and the cert read permissions and it’s still throwing the same error.

I wish I could know more information on why it’s saying it’s invalid…

Setherz6104 · March 12, 2020, 5:18pm

Interestingly I don’t see that error anymore but I see this in the log:

com.mongodb.DuplicateKeyException: Write failed with error code 11000 and error message ‘E11000 duplicate key error collection: graylog.index_field_types index: index_name_1 dup key: { index_name: “graylog_0” }’

It’s right after that that Graylog starts shutting down due to the exception. I’m not sure why enable_tls is causing this, though.

Also, at the end of the Graylog document online "Using HTTPS’, at the end:

Without adding the previously created Java keystore to the JVM parameters, Graylog won’t be able to verify any self-signed certificates or custom CA certificates.

Do I have to do this as well if I’m not self signing, but actually using my own CA? Do I have to do something else other than just adding the cert and private key to the config?

Ponet · March 12, 2020, 6:07pm

You are using your own CA so, yes. You do. Your CA is not trusted in the default keystore.

The Mongodb error is a separate issue.

Setherz6104 · March 12, 2020, 6:12pm

I installed my CA as a trusted CA in Ubuntu, system wide right? Or do I need to add it into the Java keystore?

sudo dpkg-reconfigure ca-certificates

Ponet · March 12, 2020, 6:14pm

They are two different things.
You must perform the steps outlined in the documentation for the Java Keystore.

Setherz6104 · March 12, 2020, 6:43pm

I’m lost. I tried following the steps to make a “copy” of the trust core, but “$JAVA_HOME/jre/lib/security/cacerts” doesn’t exist. I poked around and I found that my Java installation isn’t even in /usr/bin/java", so I don’t understand how graylog is even running if it’s config file for JVM at “/etc/default/graylog-server” and that file points to “/usr/bin/java” for the Java executable…

So what I did is I added my CA and my cert I issued for graylog into Java’s truststore at the installation I found, which is at “usr/lib/jvm/java-1.8.0-openjdk-amd64/jre”. And I noticed you have to add the “-Djavax.net.ssl.trustStore=/path/to/cacerts.jk” parameter for JVM for Graylog to look for the trust store, but again, it’s like it’s not even using the JVM config file at “/etc/default/graylog-server” like their documentation says it should. Idk where else to put the parameter.

I thought that whole Java thing was for if you wanted the self-signed cert solution. Like anything else, I didn’t think I’d have to trust my CA, and all I had to do was give the certificate to Graylog for it to use.

Setherz6104 · March 12, 2020, 7:45pm

If you or anybody’s curious, this is the error I’m getting when trying to start Graylog with https enabled:

2020-03-12T15:38:43.343-04:00 ERROR [ServerBootstrap] Graylog startup failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {FAILED=[JerseyService [FAILED]]}
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:741) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:553) ~[graylog.jar:?]
at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:314) ~[graylog.jar:?]
at org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:161) [graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:210) [graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:50) [graylog.jar:?]
Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: JerseyService [FAILED]
Caused by: java.io.IOException: ObjectIdentifier() – data isn’t an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:257) ~[?:1.8.0_242]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:1.8.0_242]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_242]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) ~[?:1.8.0_242]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:1.8.0_242]
at javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_242]
at org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) ~[graylog.jar:?]
at org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:98) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.buildSslEngineConfigurator(JerseyService.java:347) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:172) ~[graylog.jar:?]
at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:146) ~[graylog.jar:?]
at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) ~[graylog.jar:?]
at com.google.common.util.concurrent.Callables$4.run(Callables.java:119) ~[graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_242]

jan · March 13, 2020, 9:25am

I guess you have MongoDB 4.2 running?

enable the compatibility mode for 4.0 in that MongoDb Version that you can run Graylog with this version.

Setherz6104 · March 13, 2020, 12:10pm

I’ll go ahead and try that. What’s weird is Graylog works like it is if I have HTTPS disabled, but when I enable it it keeps crashing.

Setherz6104 · March 13, 2020, 12:59pm

4.0 compatibility didn’t fix it, same error. This is an HTTPS issue as there’s x509, algorithm, etc in the errors.

I can’t figure out what it is though… my certificate is fine.

system · March 27, 2020, 12:59pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Just another user struggling with HTTPS Graylog Central (peer support)	4	32	September 12, 2024
Https problem on Graylog 3.0 Graylog Central (peer support)	7	957	April 26, 2019
Graylog 3.2 HTTPS private key issue Graylog Central (peer support)	4	2159	May 29, 2020
TLS Connection not working Graylog Central (peer support)	7	1304	April 23, 2020
HTTPS setup in Graylog 3.0.0 Graylog Central (peer support)	3	1890	April 9, 2019

Unreadable or missing HTTP X.509 certificate

Related Topics