@pguillermet
I’m sorry to hear you still having problems. This did take some time for me to understand how certificates work with graylog-server. One thing was clear, the certs need to be in the right format. Graylog needs to be able to access certs for the input (i.e. permissions). Graylog needs to be able to access the keystore. I can show you what i did but I also know everyone environment is a little bit different, so you might need configure these steps for your needs. The following steps is for CentOS 7 which has Elasticsearch, MongDb, and Graylog all on one Virtual machine. This helped me understand how and what to configure before I went into production envirment. An older problem I had with this was my DNS entry for my server. I had to make sure the Reverse lookup was configured.
- Navigate to the following directory as follow;
NOTE: I looked for my JAVA keystore called CACERTS.
- cd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security
- change the default password for Java CAcert store. Default password is changeit
keytool -storepasswd -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts
Type “changeit”
New-PASS Type “secret” /// this will be configured in graylog configuration file
- Generate Certs for Graylog.
- keytool -genkey -alias dns.name.of.server -keyalg RSA -validity 365 -keystore keystore.jks
- openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout pkcs5-plain.pem -out cert.pem
- openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
- openssl pkcs8 -in pkcs5-plain.pem -topk8 -v2 des3 -out pkcs8-encrypted.pem -passout pass: secret
- keytool -list -v -keystore keystore.jks -alias dns.name.of.server
- keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
- openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
- openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem
- openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
- Openjdk use this line. The password it requests is the password you changed in step 2.
- keytool -import -trustcacerts -file graylog-certificate.pem -alias dns.name.of.server -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts
- Move certificates to graylog folder
- NOTE: When I first started I found out by moving the files to Graylog Directory was easy for me to get the Inputs started and HTTPS enable for Graylog. Since Graylog owns this directory it was made simple. I have grown from this into something better but I found it to be a good learning experience to start with.
- move all *.pem, *.p12 and *.jks files to /etc/graylog/
and chown graylog:graylog -R /etc/graylog
so that the graylog user has access to them
- Edit /etc/graylog/server/server.conf
- http_enable_tls = true
- http_tls_cert_file = /etc/ssl/certs/graylog/graylog-certificate.pem
- http_tls_key_file = /etc/ssl/certs/graylog/graylog-key.pem
- http_tls_key_password = secret
- Restart graylog and tail -f server.log
- systemctl restart graylog-server
- tail -f /var/log/graylog/server/server.log
My input configuration.
I hope this helps.
The following link/s help me understand how to make this happen.
https://docs.graylog.org/en/4.0/pages/configuration/https.html