Hi Aldo, it looks like you've been storing a private key in /etc/pki/tls/certs/graylog.pem instead of an X.509 certificate.
Additionally, you really shouldn't post your private keys on a public mailing list. Cheers, Jochen On Wednesday, 4 May 2016 19:29:42 UTC+2, Aldo Pellini wrote: > > Hi, > I have created a certificate with these commands: > > 942 openssl pkcs8 -topk8 -inform PEM -outform PEM - in graylog.pem -out > private_gray.pem -nocrypt > 944 openssl pkcs8 -topk8 -inform PEM -outform PEM -in graylog.pem -out > private_gray.pem -nocrypt > > Then I have copied these into pki directory: > > 957 cp private_gray.pem /etc/pki/tls/private/private_gray.pem > 958 cp graylog.pem /etc/pki/tls/certs > > And enabled HTTPS into server.conf giving the right path of these PEM > files. > > Below my configuration: > > # REST API listen URI. Must be reachable by other graylog2-server nodes if > you run a cluster. > rest_listen_uri = https://151.92.28.21:12900 > > # WEB > web_listen_uri=https://151.92.28.21:443/ > > # HTTPS > web_enable_tls = true > web_tls_cert_file = /etc/pki/tls/certs/graylog.pem > web_tls_key_file = /etc/pki/tls/private/private_gray.pem > #web_tls_key_password = > > > # REST API transport address. Defaults to the value of rest_listen_uri. > Exception: If rest_listen_uri > # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 > system address is used. > # If set, his will be promoted in the cluster discovery APIs, so other > nodes may try to connect on > # this address and it is used to generate URLs addressing entities in the > REST API. (see rest_listen_uri) > # You will need to define this, if your Graylog server is running behind a > HTTP proxy that is rewriting > # the scheme, host name or URI. > rest_transport_uri = https://151.92.28.21:12900 > > # Enable CORS headers for REST API. This is necessary for JS-clients > accessing the server directly. > # If these are disabled, modern browsers will not be able to retrieve > resources from the server. > # This is disabled by default. Uncomment the next line to enable it. > rest_enable_cors = true > > # Enable GZIP support for REST API. This compresses API responses and > therefore helps to reduce > # overall round trip times. This is disabled by default. Uncomment the > next line to enable it. > #rest_enable_gzip = true > > # Enable HTTPS support for the REST API. This secures the communication > with the REST API with > # TLS to prevent request forgery and eavesdropping. This is disabled by > default. Uncomment the > # next line to enable it. > rest_enable_tls = true > > # The X.509 certificate file to use for securing the REST API. > rest_tls_cert_file = /etc/pki/tls/certs/graylog.pem > > # The private key to use for securing the REST API. > rest_tls_key_file = /etc/pki/tls/private/private_gray.pem > > I have restarted graylog-server daemon but I receive a java error with > written following lines: > > 2016-05-04 19:26:07,795 ERROR: > com.google.common.util.concurrent.ServiceManager - Service > WebInterfaceService [FAILED] has failed in the STARTING state. > java.security.cert.CertificateException: No certificates found in file: > /etc/pki/tls/certs/graylog.pem > at > org.graylog2.shared.security.tls.PemReader.readCertificates(PemReader.java:71) > > ~[graylog.jar:?] > at > org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:114) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) > > ~[graylog.jar:?] > at > org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46) > > ~[graylog.jar:?] > at > com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) > > [graylog.jar:?] > at > com.google.common.util.concurrent.Callables$3.run(Callables.java:100) > [graylog.jar:?] > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74] > 2016-05-04 19:26:07,824 ERROR: > org.graylog2.shared.initializers.InputSetupService - Not starting any > inputs because lifecycle is: Uninitialized [LB:DEAD] > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.AlertScannerThread]. > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.AlertScannerThread] complete, took > <0ms>. > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.BatchedElasticSearchOutputFlushThread]. > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.BatchedElasticSearchOutputFlushThread] > complete, took <0ms>. > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.ClusterHealthCheckThread]. > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.ClusterHealthCheckThread] complete, > took <0ms>. > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.IndexerClusterCheckerThread]. > 2016-05-04 19:26:07,832 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.IndexerClusterCheckerThread] complete, > took <0ms>. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.IndexRetentionThread]. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.IndexRetentionThread] complete, took > <0ms>. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.IndexRotationThread]. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.IndexRotationThread] complete, took > <0ms>. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.VersionCheckThread]. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.VersionCheckThread] complete, took > <0ms>. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.ThrottleStateUpdaterThread]. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.ThrottleStateUpdaterThread] complete, > took <0ms>. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.events.ClusterEventPeriodical]. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.events.ClusterEventPeriodical] complete, took > <0ms>. > 2016-05-04 19:26:07,833 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.events.ClusterEventCleanupPeriodical]. > 2016-05-04 19:26:07,834 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.events.ClusterEventCleanupPeriodical] complete, > took <0ms>. > 2016-05-04 19:26:07,834 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog2.periodical.IndexRangesCleanupPeriodical]. > 2016-05-04 19:26:07,834 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog2.periodical.IndexRangesCleanupPeriodical] complete, > took <0ms>. > 2016-05-04 19:26:07,834 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical [org.graylog.plugins.usagestatistics.UsageStatsNodePeriodical]. > 2016-05-04 19:26:07,834 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical [org.graylog.plugins.usagestatistics.UsageStatsNodePeriodical] > complete, took <0ms>. > 2016-05-04 19:26:07,834 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical > [org.graylog.plugins.usagestatistics.UsageStatsClusterPeriodical]. > 2016-05-04 19:26:07,834 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical > [org.graylog.plugins.usagestatistics.UsageStatsClusterPeriodical] complete, > took <0ms>. > 2016-05-04 19:26:07,839 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutting down > periodical > [org.graylog.plugins.collector.periodical.PurgeExpiredCollectorsThread]. > 2016-05-04 19:26:07,839 INFO : > org.graylog2.shared.initializers.PeriodicalsService - Shutdown of > periodical > [org.graylog.plugins.collector.periodical.PurgeExpiredCollectorsThread] > complete, took <0ms>. > 2016-05-04 19:26:07,840 INFO : kafka.log.LogManager - Shutting down. > 2016-05-04 19:26:07,839 WARN : > org.graylog2.initializers.BufferSynchronizerService - Elasticsearch is > unavailable. Not waiting to clear buffers and caches, as we have no healthy > cluster. > 2016-05-04 19:26:07,849 INFO : org.elasticsearch.node - > [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] stopping ... > 2016-05-04 19:26:07,851 INFO : > org.graylog2.initializers.OutputSetupService - Stopping output > org.graylog2.outputs.BlockingBatchedESOutput > 2016-05-04 19:26:07,855 INFO : org.elasticsearch.node - > [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] stopped > 2016-05-04 19:26:07,855 INFO : org.elasticsearch.node - > [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] closing ... > 2016-05-04 19:26:07,868 INFO : org.elasticsearch.node - > [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] closed > 2016-05-04 19:26:07,879 ERROR: > com.google.common.util.concurrent.ServiceManager - Service > IndexerSetupService [FAILED] has failed in the STOPPING state. > java.lang.IllegalStateException: Can't move to started state when closed > at > org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130) > > ~[graylog.jar:?] > at > org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) > > ~[graylog.jar:?] > at > org.elasticsearch.transport.TransportService.doStart(TransportService.java:182) > > ~[graylog.jar:?] > at > org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68) > > ~[graylog.jar:?] > at org.elasticsearch.node.Node.start(Node.java:278) > ~[graylog.jar:?] > at > org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114) > > ~[graylog.jar:?] > at > com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) > > [graylog.jar:?] > at > com.google.common.util.concurrent.Callables$3.run(Callables.java:100) > [graylog.jar:?] > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74] > 2016-05-04 19:26:07,892 INFO : org.graylog2.shared.journal.JournalReader - > Stopping. > 2016-05-04 19:26:07,902 INFO : kafka.log.LogManager - Shutdown complete. > 2016-05-04 19:26:08,013 INFO : > org.graylog2.shared.initializers.AbstractJerseyService - Enabling CORS for > HTTP endpoint > 2016-05-04 19:26:08,016 ERROR: > com.google.common.util.concurrent.ServiceManager - Service RestApiService > [FAILED] has failed in the STOPPING state. > java.security.cert.CertificateException: No certificates found in file: > /etc/pki/tls/certs/graylog.pem > at > org.graylog2.shared.security.tls.PemReader.readCertificates(PemReader.java:71) > > ~[graylog.jar:?] > at > org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:114) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65) > > ~[graylog.jar:?] > at > com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) > > [graylog.jar:?] > at > com.google.common.util.concurrent.Callables$3.run(Callables.java:100) > [graylog.jar:?] > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74] > 2016-05-04 19:26:08,016 ERROR: org.graylog2.bootstrap.ServerBootstrap - > Graylog startup failed. Exiting. Exception was: > java.lang.IllegalStateException: Expected to be healthy after starting. > The following services are not running: {STARTING=[RestApiService > [STARTING], IndexerSetupService [STARTING]], FAILED=[WebInterfaceService > [FAILED]]} > at > com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713) > > ~[graylog.jar:?] > at > com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542) > > ~[graylog.jar:?] > at > com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299) > > ~[graylog.jar:?] > at > org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:127) > [graylog.jar:?] > at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209) > [graylog.jar:?] > at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?] > 2016-05-04 19:26:08,016 WARN : > org.graylog2.shared.events.DeadEventLoggingListener - Received unhandled > event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus > <AsyncEventBus{graylog-eventbus}> > 2016-05-04 19:26:08,017 INFO : > org.graylog2.shared.initializers.ServiceManagerListener - Services are now > stopped. > 2016-05-04 19:26:08,024 INFO : org.graylog2.commands.Server - SIGNAL > received. Shutting down. > 2016-05-04 19:26:08,029 INFO : > org.graylog2.system.shutdown.GracefulShutdown - Graceful shutdown initiated. > 2016-05-04 19:26:08,029 WARN : > org.graylog2.shared.events.DeadEventLoggingListener - Received unhandled > event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus > <AsyncEventBus{graylog-eventbus}> > 2016-05-04 19:26:08,029 INFO : > org.graylog2.system.shutdown.GracefulShutdown - Node status: [Halting > [LB:DEAD]]. Waiting <3sec> for possible load balancers to recognize state > change. > Exception in thread "Thread-2" java.lang.IllegalStateException: Expected > the service to be TERMINATED, but the service has FAILED > at > com.google.common.util.concurrent.AbstractService.checkCurrentState(AbstractService.java:310) > at > com.google.common.util.concurrent.AbstractService.awaitTerminated(AbstractService.java:280) > at > com.google.common.util.concurrent.AbstractIdleService.awaitTerminated(AbstractIdleService.java:173) > at > org.graylog2.system.shutdown.GracefulShutdown.doRun(GracefulShutdown.java:102) > at > org.graylog2.system.shutdown.GracefulShutdown.runWithoutExit(GracefulShutdown.java:75) > at org.graylog2.commands.Server$ShutdownHook.run(Server.java:188) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.security.cert.CertificateException: No certificates found > in file: /etc/pki/tls/certs/graylog.pem > at > org.graylog2.shared.security.tls.PemReader.readCertificates(PemReader.java:71) > at > org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:114) > at > org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) > at > org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) > at > org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65) > at > com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) > at > com.google.common.util.concurrent.Callables$3.run(Callables.java:100) > ... 1 more > > If I read these file I have: > > [root@NASTIA-LOG01 ~]# more /etc/pki/tls/certs/graylog.pem > -----BEGIN RSA PRIVATE KEY----- > [...] > -----END RSA PRIVATE KEY----- > [root@NASTIA-LOG01 ~]# > > > [root@NASTIA-LOG01 ~]# more /etc/pki/tls/private/private_gray.pem > -----BEGIN PRIVATE KEY----- > [...] > -----END PRIVATE KEY----- > [root@NASTIA-LOG01 ~]# > > I have done something wrong? > > Regards, > > Aldo > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/da229b97-5bf3-484f-9a4b-99e08331cf7d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
