Env:
graylog 2.0.2 / elasticsearch 2.3.2
RHEL 6.8
So I have followed the graylog https setup here
http://docs.graylog.org/en/latest/pages/configuration/https.html and
followed along to create a keystore, creating a self-signed cert and
converting it to PKCS5 and exporting it out to a cert and key in use for
graylog-server.
However, the issue faced is that the final key step is generating a file
which looks invalid, presumably because the interim pkcs5 key step is not
working. Can someone point me to what mistake I'm making and how to fix it?
On side topic, I'm using haproxy load balancer with ssl pass through.
((using it with ssl termination on load balancer failed as Firefox, Chrome
etc. all complain about mixed content and I get the "
Server currently unavailable
We are experiencing problems connecting to the Graylog server running on...
"
error
So I think I can only get proper ssl working if I do ssl end to end via ssl
passthrough on load balancer.
))
Here's the log of steps followed -
create keystore for graylog - gen key and import into a new keystore
01. keytool -genkey -alias graylog-web01 -keyalg RSA -keysize 2048
-validity 1000 -dname "CN=graylog-web01" -keystore
graylog-web01KeyStore.p12 -storepass XXXX -storetype pkcs12
02. keytool -importkeystore -deststorepass "XXXX" -destkeypass "XXXX"
-destkeystore graylog.keystore -srckeystore graylog-web01KeyStore.p12
-srcstoretype PKCS12 -srcstorepass "XXXX" -alias graylog-web01
create a self signed cert
03. openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout
pkcs5-plain.pem -out cert.pem
convert key to pkcs8 format
04. openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
convert keystore above to PKCS12 format so openssl can work with it
05. keytool -importkeystore -srckeystore graylog-web01.keystore
-destkeystore keystore.p12 -deststoretype PKCS12
get the cert to use
06. openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
cat graylog-certificate.pem
Bag Attributes
friendlyName: CN=graylog-web01
localKeyID: 54 69 6E 66 20 31 34 36 39 34 36 37 35 37 39 33 32 30
subject=/CN=graylog-web01
issuer=/CN=graylog-web01
-----BEGIN CERTIFICATE-----
get the key to use
07. openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem
This is where the issue is - the pkcs5 key file doesn't seem to contain
the actual key. I was expecting to see "----BEGIN PRIVATE KEY----" line in
the file below
cat graylog-pkcs5.pem
Bag Attributes
friendlyName: graylog2
localKeyID: 54 69 6E 66 20 31 34 36 39 34 36 38 35 35 32 30 33 36
Key Attributes: <No Attributes>
but the file ends right there above at "Key Attributes" line.
08. Consequently, this fails -
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
unable to load key
140626096863048:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
09. I understand that after this step 08 works above I still need to
cp -a "${JAVA_HOME}/jre/lib/security/cacerts" /path/to/cacerts.jks
keytool -importcert -keystore /path/to/cacerts.jks -storepass changeit -alias
graylog-self-signed -file cert.pem
to import this into the local JVM Trust store and point to it by adding these
to the graylog-server GRAYLOG_SERVER_ARGS in /etc/sysconfig/graylog-server
(or JAVA_OPTS in /etc/init.d/graylog-server)
GRAYLOG_SERVER_ARGS="-Djavax.net.ssl.trustStore=/path/to/cacerts.jks
-Djavax.net.ssl.trustStorePassword=secret"
and then restart graylog-server and it will be SSL ready.
Where is the error happening? Does anyone have a straightforward list of
steps to follow to get this working?
I have 2 graylog-web front ends in a cluster so I'm assuming in step 09
above I need to add the cert from both graylog-web servers.
Thanks,
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/b206e420-7c6b-4d1f-bd1d-df6f091e279e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
