Hi Aldo, please refer to the manuals of OpenSSL (or any other program you're using to create or convert private keys and your certificates):
- https://www.openssl.org/docs/manmaster/apps/pkcs8.html - https://www.openssl.org/docs/manmaster/apps/x509.html - https://www.madboa.com/geek/openssl/ Cheers, Jochen On Monday, 9 May 2016 14:59:39 UTC+2, Aldo Pellini wrote: > > Ok Thanks. > > And the right procedure is? > > On Monday, May 9, 2016 at 2:44:20 PM UTC+2, Jochen Schalanda wrote: >> >> Hi Aldo, >> >> it looks like you've been storing a private key in >> /etc/pki/tls/certs/graylog.pem instead of an X.509 certificate. >> >> Additionally, you really shouldn't post your private keys on a public >> mailing list. >> >> Cheers, >> Jochen >> >> On Wednesday, 4 May 2016 19:29:42 UTC+2, Aldo Pellini wrote: >>> >>> Hi, >>> I have created a certificate with these commands: >>> >>> 942 openssl pkcs8 -topk8 -inform PEM -outform PEM - in graylog.pem >>> -out private_gray.pem -nocrypt >>> 944 openssl pkcs8 -topk8 -inform PEM -outform PEM -in graylog.pem >>> -out private_gray.pem -nocrypt >>> >>> Then I have copied these into pki directory: >>> >>> 957 cp private_gray.pem /etc/pki/tls/private/private_gray.pem >>> 958 cp graylog.pem /etc/pki/tls/certs >>> >>> And enabled HTTPS into server.conf giving the right path of these PEM >>> files. >>> >>> Below my configuration: >>> >>> # REST API listen URI. Must be reachable by other graylog2-server nodes >>> if you run a cluster. >>> rest_listen_uri = https://151.92.28.21:12900 >>> >>> # WEB >>> web_listen_uri=https://151.92.28.21:443/ >>> >>> # HTTPS >>> web_enable_tls = true >>> web_tls_cert_file = /etc/pki/tls/certs/graylog.pem >>> web_tls_key_file = /etc/pki/tls/private/private_gray.pem >>> #web_tls_key_password = >>> >>> >>> # REST API transport address. Defaults to the value of rest_listen_uri. >>> Exception: If rest_listen_uri >>> # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 >>> system address is used. >>> # If set, his will be promoted in the cluster discovery APIs, so other >>> nodes may try to connect on >>> # this address and it is used to generate URLs addressing entities in >>> the REST API. (see rest_listen_uri) >>> # You will need to define this, if your Graylog server is running behind >>> a HTTP proxy that is rewriting >>> # the scheme, host name or URI. >>> rest_transport_uri = https://151.92.28.21:12900 >>> >>> # Enable CORS headers for REST API. This is necessary for JS-clients >>> accessing the server directly. >>> # If these are disabled, modern browsers will not be able to retrieve >>> resources from the server. >>> # This is disabled by default. Uncomment the next line to enable it. >>> rest_enable_cors = true >>> >>> # Enable GZIP support for REST API. This compresses API responses and >>> therefore helps to reduce >>> # overall round trip times. This is disabled by default. Uncomment the >>> next line to enable it. >>> #rest_enable_gzip = true >>> >>> # Enable HTTPS support for the REST API. This secures the communication >>> with the REST API with >>> # TLS to prevent request forgery and eavesdropping. This is disabled by >>> default. Uncomment the >>> # next line to enable it. >>> rest_enable_tls = true >>> >>> # The X.509 certificate file to use for securing the REST API. >>> rest_tls_cert_file = /etc/pki/tls/certs/graylog.pem >>> >>> # The private key to use for securing the REST API. >>> rest_tls_key_file = /etc/pki/tls/private/private_gray.pem >>> >>> I have restarted graylog-server daemon but I receive a java error with >>> written following lines: >>> >>> 2016-05-04 19:26:07,795 ERROR: >>> com.google.common.util.concurrent.ServiceManager - Service >>> WebInterfaceService [FAILED] has failed in the STARTING state. >>> java.security.cert.CertificateException: No certificates found in file: >>> /etc/pki/tls/certs/graylog.pem >>> at >>> org.graylog2.shared.security.tls.PemReader.readCertificates(PemReader.java:71) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:114) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46) >>> >>> ~[graylog.jar:?] >>> at >>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) >>> >>> [graylog.jar:?] >>> at >>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) >>> [graylog.jar:?] >>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74] >>> 2016-05-04 19:26:07,824 ERROR: >>> org.graylog2.shared.initializers.InputSetupService - Not starting any >>> inputs because lifecycle is: Uninitialized [LB:DEAD] >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.AlertScannerThread]. >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.AlertScannerThread] complete, took >>> <0ms>. >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.BatchedElasticSearchOutputFlushThread]. >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.BatchedElasticSearchOutputFlushThread] >>> complete, took <0ms>. >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.ClusterHealthCheckThread]. >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.ClusterHealthCheckThread] complete, >>> took <0ms>. >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.IndexerClusterCheckerThread]. >>> 2016-05-04 19:26:07,832 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.IndexerClusterCheckerThread] complete, >>> took <0ms>. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.IndexRetentionThread]. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.IndexRetentionThread] complete, took >>> <0ms>. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.IndexRotationThread]. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.IndexRotationThread] complete, took >>> <0ms>. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.VersionCheckThread]. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.VersionCheckThread] complete, took >>> <0ms>. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.ThrottleStateUpdaterThread]. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.ThrottleStateUpdaterThread] complete, >>> took <0ms>. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.events.ClusterEventPeriodical]. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.events.ClusterEventPeriodical] complete, took >>> <0ms>. >>> 2016-05-04 19:26:07,833 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.events.ClusterEventCleanupPeriodical]. >>> 2016-05-04 19:26:07,834 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.events.ClusterEventCleanupPeriodical] complete, >>> took <0ms>. >>> 2016-05-04 19:26:07,834 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog2.periodical.IndexRangesCleanupPeriodical]. >>> 2016-05-04 19:26:07,834 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog2.periodical.IndexRangesCleanupPeriodical] complete, >>> took <0ms>. >>> 2016-05-04 19:26:07,834 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical [org.graylog.plugins.usagestatistics.UsageStatsNodePeriodical]. >>> 2016-05-04 19:26:07,834 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical [org.graylog.plugins.usagestatistics.UsageStatsNodePeriodical] >>> complete, took <0ms>. >>> 2016-05-04 19:26:07,834 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical >>> [org.graylog.plugins.usagestatistics.UsageStatsClusterPeriodical]. >>> 2016-05-04 19:26:07,834 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical >>> [org.graylog.plugins.usagestatistics.UsageStatsClusterPeriodical] complete, >>> took <0ms>. >>> 2016-05-04 19:26:07,839 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutting down >>> periodical >>> [org.graylog.plugins.collector.periodical.PurgeExpiredCollectorsThread]. >>> 2016-05-04 19:26:07,839 INFO : >>> org.graylog2.shared.initializers.PeriodicalsService - Shutdown of >>> periodical >>> [org.graylog.plugins.collector.periodical.PurgeExpiredCollectorsThread] >>> complete, took <0ms>. >>> 2016-05-04 19:26:07,840 INFO : kafka.log.LogManager - Shutting down. >>> 2016-05-04 19:26:07,839 WARN : >>> org.graylog2.initializers.BufferSynchronizerService - Elasticsearch is >>> unavailable. Not waiting to clear buffers and caches, as we have no healthy >>> cluster. >>> 2016-05-04 19:26:07,849 INFO : org.elasticsearch.node - >>> [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] stopping ... >>> 2016-05-04 19:26:07,851 INFO : >>> org.graylog2.initializers.OutputSetupService - Stopping output >>> org.graylog2.outputs.BlockingBatchedESOutput >>> 2016-05-04 19:26:07,855 INFO : org.elasticsearch.node - >>> [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] stopped >>> 2016-05-04 19:26:07,855 INFO : org.elasticsearch.node - >>> [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] closing ... >>> 2016-05-04 19:26:07,868 INFO : org.elasticsearch.node - >>> [graylog-c6aeb753-c841-476f-b8ed-5715ef6b8bf5] closed >>> 2016-05-04 19:26:07,879 ERROR: >>> com.google.common.util.concurrent.ServiceManager - Service >>> IndexerSetupService [FAILED] has failed in the STOPPING state. >>> java.lang.IllegalStateException: Can't move to started state when closed >>> at >>> org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130) >>> >>> ~[graylog.jar:?] >>> at >>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) >>> >>> ~[graylog.jar:?] >>> at >>> org.elasticsearch.transport.TransportService.doStart(TransportService.java:182) >>> >>> ~[graylog.jar:?] >>> at >>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68) >>> >>> ~[graylog.jar:?] >>> at org.elasticsearch.node.Node.start(Node.java:278) >>> ~[graylog.jar:?] >>> at >>> org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114) >>> >>> ~[graylog.jar:?] >>> at >>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) >>> >>> [graylog.jar:?] >>> at >>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) >>> [graylog.jar:?] >>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74] >>> 2016-05-04 19:26:07,892 INFO : org.graylog2.shared.journal.JournalReader >>> - Stopping. >>> 2016-05-04 19:26:07,902 INFO : kafka.log.LogManager - Shutdown complete. >>> 2016-05-04 19:26:08,013 INFO : >>> org.graylog2.shared.initializers.AbstractJerseyService - Enabling CORS for >>> HTTP endpoint >>> 2016-05-04 19:26:08,016 ERROR: >>> com.google.common.util.concurrent.ServiceManager - Service RestApiService >>> [FAILED] has failed in the STOPPING state. >>> java.security.cert.CertificateException: No certificates found in file: >>> /etc/pki/tls/certs/graylog.pem >>> at >>> org.graylog2.shared.security.tls.PemReader.readCertificates(PemReader.java:71) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:114) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65) >>> >>> ~[graylog.jar:?] >>> at >>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) >>> >>> [graylog.jar:?] >>> at >>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) >>> [graylog.jar:?] >>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74] >>> 2016-05-04 19:26:08,016 ERROR: org.graylog2.bootstrap.ServerBootstrap - >>> Graylog startup failed. Exiting. Exception was: >>> java.lang.IllegalStateException: Expected to be healthy after starting. >>> The following services are not running: {STARTING=[RestApiService >>> [STARTING], IndexerSetupService [STARTING]], FAILED=[WebInterfaceService >>> [FAILED]]} >>> at >>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713) >>> >>> ~[graylog.jar:?] >>> at >>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542) >>> >>> ~[graylog.jar:?] >>> at >>> com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299) >>> >>> ~[graylog.jar:?] >>> at >>> org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:127) >>> >>> [graylog.jar:?] >>> at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209) >>> [graylog.jar:?] >>> at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?] >>> 2016-05-04 19:26:08,016 WARN : >>> org.graylog2.shared.events.DeadEventLoggingListener - Received unhandled >>> event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus >>> <AsyncEventBus{graylog-eventbus}> >>> 2016-05-04 19:26:08,017 INFO : >>> org.graylog2.shared.initializers.ServiceManagerListener - Services are now >>> stopped. >>> 2016-05-04 19:26:08,024 INFO : org.graylog2.commands.Server - SIGNAL >>> received. Shutting down. >>> 2016-05-04 19:26:08,029 INFO : >>> org.graylog2.system.shutdown.GracefulShutdown - Graceful shutdown initiated. >>> 2016-05-04 19:26:08,029 WARN : >>> org.graylog2.shared.events.DeadEventLoggingListener - Received unhandled >>> event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus >>> <AsyncEventBus{graylog-eventbus}> >>> 2016-05-04 19:26:08,029 INFO : >>> org.graylog2.system.shutdown.GracefulShutdown - Node status: [Halting >>> [LB:DEAD]]. Waiting <3sec> for possible load balancers to recognize state >>> change. >>> Exception in thread "Thread-2" java.lang.IllegalStateException: Expected >>> the service to be TERMINATED, but the service has FAILED >>> at >>> com.google.common.util.concurrent.AbstractService.checkCurrentState(AbstractService.java:310) >>> at >>> com.google.common.util.concurrent.AbstractService.awaitTerminated(AbstractService.java:280) >>> at >>> com.google.common.util.concurrent.AbstractIdleService.awaitTerminated(AbstractIdleService.java:173) >>> at >>> org.graylog2.system.shutdown.GracefulShutdown.doRun(GracefulShutdown.java:102) >>> at >>> org.graylog2.system.shutdown.GracefulShutdown.runWithoutExit(GracefulShutdown.java:75) >>> at org.graylog2.commands.Server$ShutdownHook.run(Server.java:188) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: java.security.cert.CertificateException: No certificates >>> found in file: /etc/pki/tls/certs/graylog.pem >>> at >>> org.graylog2.shared.security.tls.PemReader.readCertificates(PemReader.java:71) >>> at >>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:114) >>> at >>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) >>> at >>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) >>> at >>> org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65) >>> at >>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) >>> at >>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100) >>> ... 1 more >>> >>> If I read these file I have: >>> >>> [root@NASTIA-LOG01 ~]# more /etc/pki/tls/certs/graylog.pem >>> -----BEGIN RSA PRIVATE KEY----- >>> [...] >>> -----END RSA PRIVATE KEY----- >>> [root@NASTIA-LOG01 ~]# >>> >>> >>> [root@NASTIA-LOG01 ~]# more /etc/pki/tls/private/private_gray.pem >>> -----BEGIN PRIVATE KEY----- >>> [...] >>> -----END PRIVATE KEY----- >>> [root@NASTIA-LOG01 ~]# >>> >>> I have done something wrong? >>> >>> Regards, >>> >>> Aldo >>> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c67d9c50-5e81-4990-9aea-cfab8275af7c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
