Unsupported key type PKCS#1, please convert to PKCS#8


#1

Hi,

im using Graylog 2.2.2, and I cant get rid of this log message.

The Key im using as rest_tls_key_file is in PKCS#8 format.

This is the Complete error message im Getting in the log file:

2017-03-21T14:36:51.066+01:00 WARN  [AbstractNioSelector] Failed to initialize an accepted socket.
java.lang.IllegalArgumentException: Unsupported key type PKCS#1, please convert to PKCS#8
        at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadPrivateKey(KeyUtil.java:146) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.util.KeyUtil.initKeyStore(KeyUtil.java:116) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:205) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:186) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:182) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:110) ~[graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) [graylog.jar:?]
        at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
        at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_111]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_111]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]

My keyfile header and footer are:

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

Which should be correct according to https://wiki.openssl.org/index.php/Manual:Pkcs8(1)#NOTES

Any ideas?


#2

you can try to convert from pkcs#1 to pkcs#2 with something like

openssl pkcs8 -topk8 -inform PEM -outform PEM -in pkcs1.key -out pkcs8.key


(Jochen) #3

Please read http://docs.graylog.org/en/2.2/pages/configuration/https.html.


#4

Do I have to use a Password? Because when I use your openssl command with an additional -nocrypt option the outfile is exactly the same as the in file:

openssl pkcs8 -topk8 -inform PEM -outform PEM -in graylog.key -out pkcs8.key -nocrypt

md5sum graylog.key pkcs8.key
96e021d341a7f304e3b03fa3ceca3bf2 graylog.key
96e021d341a7f304e3b03fa3ceca3bf2 pkcs8.key


#5

I did read that, however i cannot use a self signed certificate, so Im stuck with the convert option, which where unsuccessful.

Looking at the code I’m wondering if the logic might be reversed because in this commit:

https://github.com/Graylog2/graylog2-server/commit/4926494cb62b5dc2d0f5d7f8b810a64617cf5249

Support for a new keytype was added by adding a string to regex matcher group 1, however the condition which results in the error I’m getting seems to match if that matcher group is not empty.

I’m not a developer, so I’m probably wrong here.


#6

I forgot to mention that https does work, despite the errors in the logfile.


#7

I think the problem is a TLS configured input, which used another key file which was indeed not in pkcs8 format.

However after using the openssl mentioned above to convert this key, I now get another error:

2017-03-22T15:46:11.623+01:00 WARN  [AbstractNioSelector] Failed to initialize an accepted socket.
java.io.IOException: overrun, bytes = 1197
        at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:92) ~[?:1.8.0_111]
        at org.graylog2.plugin.inputs.transports.util.KeyUtil.createKeySpec(KeyUtil.java:179) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadPrivateKey(KeyUtil.java:152) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.util.KeyUtil.initKeyStore(KeyUtil.java:116) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:205) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:186) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:182) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:110) ~[graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) [graylog.jar:?]
        at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
        at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_111]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_111]
        at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]

#8

Ok, the errors have stopped now, so to sum up, it was a PKCS#1 key used in an input.