Jochen, I ran the openssl command and it returned a single line with the text: RSA key ok
I did have some errors prior to the current ones with Graylog not being able to access the key file. Those turned out to the an incorrect formatting in the server.conf file, I had to put the password in quotes to get passed that error. These are the sections of the server.conf file you asked for with the private info removed: # Enable HTTPS support for the REST API. This secures the communication with the REST API with # TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the # next line to enable it. rest_enable_tls = true # The X.509 certificate chain file in PEM format to use for securing the REST API. rest_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem # The PKCS#8 private key file in PEM format to use for securing the REST API. rest_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem # The password to unlock the private key used for securing the REST API. rest_tls_key_password ="PASSWORD" # Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface # using TLS to prevent request forgery and eavesdropping. # This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings. web_enable_tls = true # The X.509 certificate chain file in PEM format to use for securing the web interface. web_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem # The PKCS#8 private key file in PEM format to use for securing the web interface. web_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem # The password to unlock the private key used for securing the web interface. web_tls_key_password ="PASSWORD" Thanks for the help. --Dave C. On Thursday, July 7, 2016 at 3:13:12 AM UTC-5, Jochen Schalanda wrote: > > Hi Dave, > > the error message looks like the private key is in an incompatible or > invalid format which Graylog can't process. > > Could you please share your Graylog configuration (the rest_* and web_* > settings should be sufficient) and the output of the following OpenSSL > command: > > openssl rsa -noout -check -inform pem -in /path/to/private.key > > > Cheers, > Jochen > > On Wednesday, 6 July 2016 21:42:47 UTC+2, dave...@gmail.com wrote: >> >> All, >> >> I have been working on setting up a test instance of Graylog 2.0 for >> several weeks now and I can't seem to make any progress with implementing >> SSL. I have seen a few other posts asking about converting java wallets to >> the new set up of cert and key pair but that doesn't apply I have a new >> cert from a CA. I am pretty sure I have the cert in the correct encoding >> "X.509 certificate with PEM encoding" that the documentation >> <http://docs.graylog.org/en/2.0/pages/configuration/https.html>asks for. >> I can use the command "openssl x509 -in cert.pem -text -noout" to see >> the contents of the cert without issue. I can get Graylog 2.0 running >> with no SSL and with self generated certs but when I use the certs from the >> CA I keep getting the errors below in /var/log/graylog-server/server.log >> when I try to start Graylog 2.0, I can send more of the log if needed. This >> is installed on Oracle Linux Server release 6.7 with Graylog 2.0, >> Elasticsearch, and MongoDB installed from their respective yum repos. Any >> advice would be greatly appreciated, I'm just spinning my wheels at this >> point. >> >> >> 2016-07-06T14:02:42.862-05:00 ERROR [ServiceManager] Service >> WebInterfaceService [FAILED] has failed in the STARTING state. >> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = >> 48) >> at >> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) >> ~[?:1.8.0_73] >> at >> sun.security.util.DerInputStream.getOID(DerInputStream.java:281) >> ~[?:1.8.0_73] >> at >> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) >> ~[sunjce_provider.jar:1.8.0_71] >> at >> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) >> ~[?:1.8.0_73] >> at >> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) >> ~[?:1.8.0_73] >> at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) >> ~[?:1.8.0_73] >> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) >> ~[?:1.8.0_73] >> at >> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) >> ~[?:1.8.0_71] >> at >> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) >> >> ~[graylog.jar:?] >> at >> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96) >> >> ~[graylog.jar:?] >> at >> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187) >> >> ~[graylog.jar:?] >> at >> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158) >> >> ~[graylog.jar:?] >> at >> org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46) >> >> ~[graylog.jar:?] >> at >> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) >> >> [graylog.jar:?] >> at >> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) >> [graylog.jar:?] >> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73] >> 2016-07-06T14:02:42.896-05:00 ERROR [InputSetupService] Not starting any >> inputs because lifecycle is: Uninitialized [LB:DEAD] >> >> 2016-07-06T14:02:42.941-05:00 ERROR [ServiceManager] Service >> IndexerSetupService [FAILED] has failed in the STOPPING state. >> java.lang.IllegalStateException: Can't move to started state when closed >> at >> org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130) >> >> ~[graylog.jar:?] >> at >> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) >> >> ~[graylog.jar:?] >> at >> org.elasticsearch.transport.TransportService.doStart(TransportService.java:182) >> >> ~[graylog.jar:?] >> at >> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68) >> >> ~[graylog.jar:?] >> at org.elasticsearch.node.Node.start(Node.java:278) >> ~[graylog.jar:?] >> at >> org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114) >> >> ~[graylog.jar:?] >> at >> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) >> >> [graylog.jar:?] >> at >> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) >> [graylog.jar:?] >> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73] >> >> >> 2016-07-06T14:02:43.202-05:00 ERROR [ServiceManager] Service >> RestApiService [FAILED] has failed in the STOPPING state. >> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = >> 48) >> at >> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) >> ~[?:1.8.0_73] >> at >> sun.security.util.DerInputStream.getOID(DerInputStream.java:281) >> ~[?:1.8.0_73] >> at >> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) >> ~[sunjce_provider.jar:1.8.0_71] >> at >> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) >> ~[?:1.8.0_73] >> at >> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) >> ~[?:1.8.0_73] >> at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) >> ~[?:1.8.0_73] >> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) >> ~[?:1.8.0_73] >> at >> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) >> ~[?:1.8.0_71] >> at >> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) >> >> ~[graylog.jar:?] >> at >> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96) >> >> ~[graylog.jar:?] >> at >> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187) >> >> ~[graylog.jar:?] >> at >> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158) >> >> ~[graylog.jar:?] >> at >> org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65) >> >> ~[graylog.jar:?] >> at >> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) >> >> [graylog.jar:?] >> at >> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) >> [graylog.jar:?] >> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73] >> 2016-07-06T14:02:43.206-05:00 ERROR [ServerBootstrap] Graylog startup >> failed. Exiting. Exception was: >> java.lang.IllegalStateException: Expected to be healthy after starting. >> The following services are not running: {STARTING=[RestApiService >> [STARTING], IndexerSetupService [STARTING]], FAILED=[WebInterfaceService >> [FAILED]]} >> at >> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713) >> >> ~[graylog.jar:?] >> at >> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542) >> >> ~[graylog.jar:?] >> at >> com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299) >> >> ~[graylog.jar:?] >> at >> org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:129) >> >> [graylog.jar:?] >> at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209) >> [graylog.jar:?] >> at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?] >> >> >> --Dave C. >> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/f93e38d7-388c-475a-a5da-cb990cd1e487%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.