Jochen,
Thank you, again, for all the help looking into this problem for me.
Here is the output of the head -n1 command:
==> /etc/graylog/graylog-ssl/CERT.pem <==
-----BEGIN CERTIFICATE-----
==> /etc/graylog/graylog-ssl/KEY.pem <==
-----BEGIN ENCRYPTED PRIVATE KEY-----
I looked over the log file and these errors are not the same as what I was
receiving before adding the quotes. The previous error had text stating
Graylog couldn't access the files, I may have fixed that with file
permission and mistakenly assumed it was the quotes that fixed that error.
Either way for the sake of thoroughness here are the errors when I removed
the quotes around the password in the server.conf for both web and the rest
api and the file permissions.
2016-07-08T10:46:00.781-05:00 ERROR [ServiceManager] Service
WebInterfaceService [FAILED] has failed in the STARTING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag =
48)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
~[?:1.8.0_92]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
~[?:1.8.0_92]
at
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
~[sunjce_provider.jar:1.8.0_71]
at
java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
~[?:1.8.0_92]
at
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
~[?:1.8.0_71]
at
org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
~[graylog.jar:?]
at
org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
~[graylog.jar:?]
at
org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
~[graylog.jar:?]
at
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
[graylog.jar:?]
at
com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
2016-07-08T10:46:00.817-05:00 ERROR [InputSetupService] Not starting any
inputs because lifecycle is: Uninitialized [LB:DEAD]
2016-07-08T10:46:01.165-05:00 ERROR [ServiceManager] Service RestApiService
[FAILED] has failed in the STOPPING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag =
48)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
~[?:1.8.0_92]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
~[?:1.8.0_92]
at
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
~[sunjce_provider.jar:1.8.0_71]
at
java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
~[?:1.8.0_92]
at
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
~[?:1.8.0_71]
at
org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
~[graylog.jar:?]
at
org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65)
~[graylog.jar:?]
at
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
[graylog.jar:?]
at
com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
2016-07-08T10:46:03.784-05:00 ERROR [ServiceManager] Service
IndexerSetupService [FAILED] has failed in the STOPPING state.
java.lang.IllegalStateException: Can't move to started state when closed
at
org.elasticsearch.common.component.Lifecycle.canMoveToStarted(Lifecycle.java:114)
~[graylog.jar:?]
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:62)
~[graylog.jar:?]
at org.elasticsearch.node.Node.start(Node.java:291) ~[graylog.jar:?]
at
org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
~[graylog.jar:?]
at
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
[graylog.jar:?]
at
com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
2016-07-08T10:46:03.785-05:00 ERROR [ServerBootstrap] Graylog startup
failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The
following services are not running: {STARTING=[RestApiService [STARTING],
IndexerSetupService [STARTING]], FAILED=[WebInterfaceService [FAILED]]}
at
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713)
~[graylog.jar:?]
at
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542)
~[graylog.jar:?]
at
com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299)
~[graylog.jar:?]
at
org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:129)
[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209)
[graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
-rw-r--r--. 1 graylog graylog 1.8K May 17 15:41 KEY.pem
-rw-r--r--. 1 graylog graylog 2.0K Jun 14 14:29 CERT.pem
--Dave C.
On Friday, July 8, 2016 at 4:40:33 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Dave,
>
> the quotes around the password shouldn't be necessary (and are, in fact,
> wrong). Could you please share the error message you've got when omitting
> these quotes?
>
> Please also post the output of the following command (it doesn't contain
> any sensitive information, just the header of the private key and
> certificate file):
>
> head -n1 /etc/graylog/graylog-ssl/CERT.pem /etc/graylog/graylog-ssl/KEY.pem
>
>
>
> Cheers,
> Jochen
>
> On Thursday, 7 July 2016 20:11:03 UTC+2, Dave C. wrote:
>>
>> Jochen,
>>
>> I ran the openssl command and it returned a single line with the text:
>> RSA key ok
>>
>> I did have some errors prior to the current ones with Graylog not being
>> able to access the key file. Those turned out to the an incorrect
>> formatting in the server.conf file, I had to put the password in quotes to
>> get passed that error.
>>
>> These are the sections of the server.conf file you asked for with the
>> private info removed:
>>
>> # Enable HTTPS support for the REST API. This secures the communication
>> with the REST API with
>> # TLS to prevent request forgery and eavesdropping. This is disabled by
>> default. Uncomment the
>> # next line to enable it.
>> rest_enable_tls = true
>>
>> # The X.509 certificate chain file in PEM format to use for securing the
>> REST API.
>> rest_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>>
>> # The PKCS#8 private key file in PEM format to use for securing the REST
>> API.
>> rest_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>>
>> # The password to unlock the private key used for securing the REST API.
>> rest_tls_key_password ="PASSWORD"
>>
>>
>> # Enable HTTPS support for the web interface. This secures the
>> communication of the web browser with the web interface
>> # using TLS to prevent request forgery and eavesdropping.
>> # This is disabled by default. Uncomment the next line to enable it and
>> see the other related configuration settings.
>> web_enable_tls = true
>>
>> # The X.509 certificate chain file in PEM format to use for securing the
>> web interface.
>> web_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>>
>> # The PKCS#8 private key file in PEM format to use for securing the web
>> interface.
>> web_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>>
>> # The password to unlock the private key used for securing the web
>> interface.
>> web_tls_key_password ="PASSWORD"
>>
>> Thanks for the help.
>> --Dave C.
>>
>> On Thursday, July 7, 2016 at 3:13:12 AM UTC-5, Jochen Schalanda wrote:
>>>
>>> Hi Dave,
>>>
>>> the error message looks like the private key is in an incompatible or
>>> invalid format which Graylog can't process.
>>>
>>> Could you please share your Graylog configuration (the rest_* and web_*
>>> settings should be sufficient) and the output of the following OpenSSL
>>> command:
>>>
>>> openssl rsa -noout -check -inform pem -in /path/to/private.key
>>>
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Wednesday, 6 July 2016 21:42:47 UTC+2, dave...@gmail.com wrote:
>>>>
>>>> All,
>>>>
>>>> I have been working on setting up a test instance of Graylog 2.0 for
>>>> several weeks now and I can't seem to make any progress with implementing
>>>> SSL. I have seen a few other posts asking about converting java wallets to
>>>> the new set up of cert and key pair but that doesn't apply I have a new
>>>> cert from a CA. I am pretty sure I have the cert in the correct encoding
>>>> "X.509 certificate with PEM encoding" that the documentation
>>>> <http://docs.graylog.org/en/2.0/pages/configuration/https.html>asks
>>>> for. I can use the command "openssl x509 -in cert.pem -text -noout" to
>>>> see the contents of the cert without issue. I can get Graylog 2.0
>>>> running with no SSL and with self generated certs but when I use the certs
>>>> from the CA I keep getting the errors below in
>>>> /var/log/graylog-server/server.log when I try to start Graylog 2.0, I can
>>>> send more of the log if needed. This is installed on Oracle Linux Server
>>>> release 6.7 with Graylog 2.0, Elasticsearch, and MongoDB installed from
>>>> their respective yum repos. Any advice would be greatly appreciated, I'm
>>>> just spinning my wheels at this point.
>>>>
>>>>
>>>> 2016-07-06T14:02:42.862-05:00 ERROR [ServiceManager] Service
>>>> WebInterfaceService [FAILED] has failed in the STARTING state.
>>>> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag
>>>> = 48)
>>>> at
>>>> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
>>>>
>>>> ~[sunjce_provider.jar:1.8.0_71]
>>>> at
>>>> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
>>>>
>>>> ~[?:1.8.0_71]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>>
>>>> [graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
>>>> [graylog.jar:?]
>>>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>>> 2016-07-06T14:02:42.896-05:00 ERROR [InputSetupService] Not starting
>>>> any inputs because lifecycle is: Uninitialized [LB:DEAD]
>>>>
>>>> 2016-07-06T14:02:42.941-05:00 ERROR [ServiceManager] Service
>>>> IndexerSetupService [FAILED] has failed in the STOPPING state.
>>>> java.lang.IllegalStateException: Can't move to started state when closed
>>>> at
>>>> org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.elasticsearch.transport.TransportService.doStart(TransportService.java:182)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68)
>>>>
>>>> ~[graylog.jar:?]
>>>> at org.elasticsearch.node.Node.start(Node.java:278)
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>>
>>>> [graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
>>>> [graylog.jar:?]
>>>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>>>
>>>>
>>>> 2016-07-06T14:02:43.202-05:00 ERROR [ServiceManager] Service
>>>> RestApiService [FAILED] has failed in the STOPPING state.
>>>> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag
>>>> = 48)
>>>> at
>>>> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
>>>>
>>>> ~[sunjce_provider.jar:1.8.0_71]
>>>> at
>>>> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
>>>>
>>>> ~[?:1.8.0_71]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>>
>>>> [graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
>>>> [graylog.jar:?]
>>>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>>> 2016-07-06T14:02:43.206-05:00 ERROR [ServerBootstrap] Graylog startup
>>>> failed. Exiting. Exception was:
>>>> java.lang.IllegalStateException: Expected to be healthy after starting.
>>>> The following services are not running: {STARTING=[RestApiService
>>>> [STARTING], IndexerSetupService [STARTING]], FAILED=[WebInterfaceService
>>>> [FAILED]]}
>>>> at
>>>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:129)
>>>>
>>>> [graylog.jar:?]
>>>> at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209)
>>>> [graylog.jar:?]
>>>> at org.graylog2.bootstrap.Main.main(Main.java:44)
>>>> [graylog.jar:?]
>>>>
>>>>
>>>> --Dave C.
>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/25490aac-c0a9-4246-9d8b-2a63e033b00c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
