Well, as no one has responded yet... Perhaps you have to use java's keytool to import the certs into the server's certificate store where java apps can find it? (I haven't had to do this with graylog because we aren't using tls or ssl with it yet, but other java-based server applications like OpenFire handle certs this way so it's what I would have looked at.)
On Fri, Apr 1, 2016 at 7:25 AM, Dylan Humphreys <[email protected]> wrote: > Hi Everyone > Im trying to setup syslog tcp input with TLS support with client TLS > authentication > I have succesfuly setup TLS on the graylog side only, and clients > (syslog-ng) can connect and submit logging information as expected. > However when I try and enable client side TLS auth, I get this exception > in /var/log/graylog/server/common: > > 2016-04-01_11:48:58.67611 java.security.cert.CertificateParsingException: > signed fields invalid > 2016-04-01_11:48:58.67748 at sun.security.x509.X509CertImpl.parse( > X509CertImpl.java:1793) > 2016-04-01_11:48:58.67897 at sun.security.x509.X509CertImpl.<init>( > X509CertImpl.java:195) > 2016-04-01_11:48:58.68269 at sun.security.provider.X509Factory. > parseX509orPKCS7Cert(X509Factory.java:469) > 2016-04-01_11:48:58.68351 at sun.security.provider.X509Factory. > engineGenerateCertificates(X509Factory.java:354) > 2016-04-01_11:48:58.68446 at java.security.cert.CertificateFactory. > generateCertificates(CertificateFactory.java:462) > 2016-04-01_11:48:58.68619 at org.graylog2.plugin.inputs.transports. > util.KeyUtil.loadCertificates(KeyUtil.java:96) > 2016-04-01_11:48:58.68865 at org.graylog2.plugin.inputs.transports. > util.KeyUtil.loadCertificates(KeyUtil.java:106) > 2016-04-01_11:48:58.69013 at org.graylog2.plugin.inputs.transports. > util.KeyUtil.initTrustStore(KeyUtil.java:79) > 2016-04-01_11:48:58.69341 at org.graylog2.plugin.inputs.transports. > AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:188) > 2016-04-01_11:48:58.69440 at org.graylog2.plugin.inputs.transports. > AbstractTcpTransport$1.call(AbstractTcpTransport.java:175) > 2016-04-01_11:48:58.69649 at org.graylog2.plugin.inputs.transports. > AbstractTcpTransport$1.call(AbstractTcpTransport.java:171) > 2016-04-01_11:48:58.70275 at org.graylog2.plugin.inputs.transports. > NettyTransport$1.getPipeline(NettyTransport.java:116) > 2016-04-01_11:48:58.70279 at org.jboss.netty.channel.socket.nio. > NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) > 2016-04-01_11:48:58.70280 at org.jboss.netty.channel.socket.nio. > NioServerBoss.process(NioServerBoss.java:104) > 2016-04-01_11:48:58.70280 at org.jboss.netty.channel.socket.nio. > AbstractNioSelector.run(AbstractNioSelector.java:337) > 2016-04-01_11:48:58.70317 at org.jboss.netty.channel.socket.nio. > NioServerBoss.run(NioServerBoss.java:42) > 2016-04-01_11:48:58.70494 at org.jboss.netty.util. > ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) > 2016-04-01_11:48:58.70794 at org.jboss.netty.util.internal. > DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) > 2016-04-01_11:48:58.70853 at java.util.concurrent.ThreadPoolExecutor > .runWorker(ThreadPoolExecutor.java:1142) > 2016-04-01_11:48:58.70926 at java.util.concurrent. > ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > 2016-04-01_11:48:58.70986 at java.lang.Thread.run(Thread.java:745) > > > My syslog-ng configuration: > > destination graylog { > syslog("graylog" port(1999) > transport("tls") > tls( ca-dir("/home/dylan/temp/syslog/") > cert_file("/home/dylan/temp/syslog/myclient.crt") > ca_dir( "/home/dylan/temp/syslog/myclient.key" ) > ) > ); > }; > > myclient.crt is an x509 formatted cert - signed with my internal PKI (ie > not by a CA) > myclient.key is pkcs8 > > I have also copied the public cert of the ca used to sign into a directory > on the graylog server, and pointed to the folder (in one attempt, and the > actual file in another) in the parameters of the input (TLS Client Auth > Trusted Certs (optional)) > > Can anyone tell me where I'm going wrong? > > Thanks in advance > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/4adea6f5-12a8-45e7-ac92-2955e284f5c3%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/4adea6f5-12a8-45e7-ac92-2955e284f5c3%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- No matter what we think of Linux versus FreeBSD, etc., the one thing I really like about Linux is that it has Microsoft worried. Anything that kicks a monopoly in the pants has got to be good for something. - Chris Johnson -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAL5rfGUHcVnTrG4U4DRMQq6Rd%3DwzhvYT6hPMR--0DfeKar3iHA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
