[graylog2] Re: Has any one successfully set up SSL on Graylog 2.0?

2016-07-08 Thread Dave C. 
ponent.start(AbstractLifecycleComponent.java:62)
 
~[graylog.jar:?]
at org.elasticsearch.node.Node.start(Node.java:291) ~[graylog.jar:?]
at 
org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
 
[graylog.jar:?]
at 
com.google.common.util.concurrent.Callables$3.run(Callables.java:100) 
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
2016-07-08T10:46:03.785-05:00 ERROR [ServerBootstrap] Graylog startup 
failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The 
following services are not running: {STARTING=[RestApiService [STARTING], 
IndexerSetupService [STARTING]], FAILED=[WebInterfaceService [FAILED]]}
at 
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542)
 
~[graylog.jar:?]
at 
com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299)
 
~[graylog.jar:?]
at 
org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:129) 
[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209) 
[graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]

-rw-r--r--. 1 graylog graylog 1.8K May 17 15:41 KEY.pem
-rw-r--r--. 1 graylog graylog 2.0K Jun 14 14:29 CERT.pem


--Dave C. 

On Friday, July 8, 2016 at 4:40:33 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Dave,
>
> the quotes around the password shouldn't be necessary (and are, in fact, 
> wrong). Could you please share the error message you've got when omitting 
> these quotes?
>
> Please also post the output of the following command (it doesn't contain 
> any sensitive information, just the header of the private key and 
> certificate file):
>
> head -n1 /etc/graylog/graylog-ssl/CERT.pem /etc/graylog/graylog-ssl/KEY.pem
>
>
>
> Cheers,
> Jochen
>
> On Thursday, 7 July 2016 20:11:03 UTC+2, Dave C. wrote:
>>
>> Jochen, 
>>
>> I ran the openssl command and it returned a single line with the text: 
>> RSA key ok
>>
>> I did have some errors prior to the current ones with Graylog not being 
>> able to access the key file. Those turned out to the an incorrect 
>> formatting in the server.conf file, I had to put the password in quotes to 
>> get passed that error. 
>>
>> These are the sections of the server.conf file you asked for with the 
>> private info removed: 
>>
>> # Enable HTTPS support for the REST API. This secures the communication 
>> with the REST API with
>> # TLS to prevent request forgery and eavesdropping. This is disabled by 
>> default. Uncomment the
>> # next line to enable it.
>> rest_enable_tls = true
>>
>> # The X.509 certificate chain file in PEM format to use for securing the 
>> REST API.
>> rest_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>>
>> # The PKCS#8 private key file in PEM format to use for securing the REST 
>> API.
>> rest_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>>
>> # The password to unlock the private key used for securing the REST API.
>> rest_tls_key_password ="PASSWORD"
>>
>>
>> # Enable HTTPS support for the web interface. This secures the 
>> communication of the web browser with the web interface
>> # using TLS to prevent request forgery and eavesdropping.
>> # This is disabled by default. Uncomment the next line to enable it and 
>> see the other related configuration settings.
>> web_enable_tls = true
>>
>> # The X.509 certificate chain file in PEM format to use for securing the 
>> web interface.
>> web_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>>
>> # The PKCS#8 private key file in PEM format to use for securing the web 
>> interface.
>> web_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>>
>> # The password to unlock the private key used for securing the web 
>> interface.
>> web_tls_key_password ="PASSWORD"
>>
>> Thanks for the help. 
>> --Dave C. 
>>
>> On Thursday, July 7, 2016 at 3:13:12 AM UTC-5, Jochen Schalanda wrote:
>>>
>>> Hi Dave,
>>>
>>> the error message looks like the private key is in an incompatible or 
>>> invalid format which Graylog can't process.
>>>
>>> Could you please share your Graylog configuration (the rest_* and web_* 
>>> settings

[graylog2] Re: Has any one successfully set up SSL on Graylog 2.0?

2016-07-07 Thread Dave C. 
Jochen, 

I ran the openssl command and it returned a single line with the text: RSA 
key ok

I did have some errors prior to the current ones with Graylog not being 
able to access the key file. Those turned out to the an incorrect 
formatting in the server.conf file, I had to put the password in quotes to 
get passed that error. 

These are the sections of the server.conf file you asked for with the 
private info removed: 

# Enable HTTPS support for the REST API. This secures the communication 
with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by 
default. Uncomment the
# next line to enable it.
rest_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the 
REST API.
rest_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem

# The PKCS#8 private key file in PEM format to use for securing the REST 
API.
rest_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem

# The password to unlock the private key used for securing the REST API.
rest_tls_key_password ="PASSWORD"


# Enable HTTPS support for the web interface. This secures the 
communication of the web browser with the web interface
# using TLS to prevent request forgery and eavesdropping.
# This is disabled by default. Uncomment the next line to enable it and see 
the other related configuration settings.
web_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the 
web interface.
web_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem

# The PKCS#8 private key file in PEM format to use for securing the web 
interface.
web_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem

# The password to unlock the private key used for securing the web 
interface.
web_tls_key_password ="PASSWORD"

Thanks for the help. 
--Dave C. 

On Thursday, July 7, 2016 at 3:13:12 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Dave,
>
> the error message looks like the private key is in an incompatible or 
> invalid format which Graylog can't process.
>
> Could you please share your Graylog configuration (the rest_* and web_* 
> settings should be sufficient) and the output of the following OpenSSL 
> command:
>
> openssl rsa -noout -check -inform pem -in /path/to/private.key
>
>
> Cheers,
> Jochen
>
> On Wednesday, 6 July 2016 21:42:47 UTC+2, dave...@gmail.com wrote:
>>
>> All, 
>>
>> I have been working on setting up a test instance of Graylog 2.0 for 
>> several weeks now and I can't seem to make any progress with implementing 
>> SSL. I have seen a few other posts asking about converting java wallets to 
>> the new set up of cert and key pair but that doesn't apply I have a new 
>> cert from a CA. I am pretty sure I have the cert in the correct encoding 
>> "X.509 certificate with PEM encoding" that the documentation 
>> <http://docs.graylog.org/en/2.0/pages/configuration/https.html>asks for. 
>> I can use the command "openssl x509 -in cert.pem -text -noout" to see 
>> the contents of the cert without issue. I can get Graylog 2.0 running 
>> with no SSL and with self generated certs but when I use the certs from the 
>> CA I keep getting the errors below in /var/log/graylog-server/server.log 
>> when I try to start Graylog 2.0, I can send more of the log if needed. This 
>> is installed on Oracle Linux Server release 6.7 with Graylog 2.0, 
>> Elasticsearch, and MongoDB installed from their respective yum repos. Any 
>> advice would be greatly appreciated, I'm just spinning my wheels at this 
>> point. 
>>
>>
>> 2016-07-06T14:02:42.862-05:00 ERROR [ServiceManager] Service 
>> WebInterfaceService [FAILED] has failed in the STARTING state.
>> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 
>> 48)
>> at 
>> sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253) 
>> ~[?:1.8.0_73]
>> at 
>> sun.security.util.DerInputStream.getOID(DerInputStream.java:281) 
>> ~[?:1.8.0_73]
>> at 
>> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) 
>> ~[sunjce_provider.jar:1.8.0_71]
>> at 
>> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) 
>> ~[?:1.8.0_73]
>> at 
>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) 
>> ~[?:1.8.0_73]
>> at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) 
>> ~[?:1.8.0_73]
>> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) 
>> ~[?:1.8.0_73]
>> at 
>> javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) 
>> ~[?:1.8.0_71]
>> at 
>> org.graylog2.shared.securi