Hi Drew, you're right, the migration path from Graylog 1.x to 2.x isn't very clearly documented yet. We'll eventually fix that once Graylog 2.0.0 has been released.
The private key has to be in PKCS#8 format stored as PEM (not DER). The X.509 certificate has also be to be stored in PEM format. Cheers, Jochen On Tuesday, 12 April 2016 16:27:10 UTC+2, Drew Miranda wrote: > > Hi all, has anyone had any success converting their TLS ceritificates for > graylog web from versions 1 (e.g. 1.3.x) to version 2 of graylog? > > Maybe I'm just not getting it, but I'm having trouble figuring out EXACTLY > what file format the certificate needs to be in. > > Previously with v1.x web interface it used a javakeystore. HOWEVER, this > is no longer in use and the upgrade path is not clear. > > I found some documentation that talks about exporting keys from the > keystore but the terminilogy is very inconsistent depending on the > webpage/documentation. > > I got as far as exporting the "private key" > (no clue if this is the correct format) > keytool -importkeystore -srckeystore graylog2.keystore -destkeystore > new-store.p12 -deststoretype PKCS12 > openssl pkcs12 -info -in new-store.p12 > openssl pkcs12 -in new-store.p12 -nocerts -out gl2web_privateKey.pem > > to produce supposedly what the documentation for graylog claims it needs, > > I do something similar for the public key > keytool -export -keystore graylog2.keystore -alias graylog2key -file > Example.cer > openssl x509 -in Example.cer -inform der -text -noout > openssl x509 -inform der -in Example.cer -out gl2web_publickey.pem > > I get this error > > I end up with this error which is vague, but I think tells me my > certificate configuration is useless. > > 2016-04-12 10:06:27,503 ERROR: > com.google.common.util.concurrent.ServiceManager - Service > WebInterfaceService [FAILED] has failed in the STARTING state. > java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = > 48) > at > sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) > ~[?:1.8.0_77] > at > sun.security.util.DerInputStream.getOID(DerInputStream.java:281) > ~[?:1.8.0_77] > at > com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) > ~[sunjce_provider.jar:1.8.0_77] > at > java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) > ~[?:1.8.0_77] > at > sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) > ~[?:1.8.0_77] > at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) > ~[?:1.8.0_77] > at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) > ~[?:1.8.0_77] > at > javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) > ~[?:1.8.0_77] > at > org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) > > ~[graylog.jar:?] > at > org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) > > ~[graylog.jar:?] > at > org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46) > > ~[graylog.jar:?] > at > com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) > > [graylog.jar:?] > at > com.google.common.util.concurrent.Callables$3.run(Callables.java:100) > [graylog.jar:?] > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77] > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/50c4cc51-e01a-43df-b86a-829840d8c5db%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
