Jochen,
Thank you, again, for all the help looking into this problem for me.
Here is the output of the head -n1 command:
==> /etc/graylog/graylog-ssl/CERT.pem <==
-----BEGIN CERTIFICATE-----
==> /etc/graylog/graylog-ssl/KEY.pem <==
-----BEGIN ENCRYPTED PRIVATE KEY-----
I looked over the log file and these errors are not the same as what I was
receiving before adding the quotes. The previous error had text stating
Graylog couldn't access the files, I may have fixed that with file
permission and mistakenly assumed it was the quotes that fixed that error.
Either way for the sake of thoroughness here are the errors when I removed
the quotes around the password in the server.conf for both web and the rest
api and the file permissions.
2016-07-08T10:46:00.781-05:00 ERROR [ServiceManager] Service
WebInterfaceService [FAILED] has failed in the STARTING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag =
48)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
~[?:1.8.0_92]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
~[?:1.8.0_92]
at
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
~[sunjce_provider.jar:1.8.0_71]
at
java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
~[?:1.8.0_92]
at
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
~[?:1.8.0_71]
at
org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
~[graylog.jar:?]
at
org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
~[graylog.jar:?]
at
org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
~[graylog.jar:?]
at
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
[graylog.jar:?]
at
com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
2016-07-08T10:46:00.817-05:00 ERROR [InputSetupService] Not starting any
inputs because lifecycle is: Uninitialized [LB:DEAD]
2016-07-08T10:46:01.165-05:00 ERROR [ServiceManager] Service RestApiService
[FAILED] has failed in the STOPPING state.
java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag =
48)
at
sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
~[?:1.8.0_92]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
~[?:1.8.0_92]
at
com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
~[sunjce_provider.jar:1.8.0_71]
at
java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
~[?:1.8.0_92]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
~[?:1.8.0_92]
at
javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
~[?:1.8.0_71]
at
org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
~[graylog.jar:?]
at
org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
~[graylog.jar:?]
at
org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65)
~[graylog.jar:?]
at
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
[graylog.jar:?]
at
com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
2016-07-08T10:46:03.784-05:00 ERROR [ServiceManager] Service
IndexerSetupService [FAILED] has failed in the STOPPING state.
java.lang.IllegalStateException: Can't move to started state when closed
at
org.elasticsearch.common.component.Lifecycle.canMoveToStarted(Lifecycle.java:114)
~[graylog.jar:?]
at
org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:62)
~[graylog.jar:?]
at org.elasticsearch.node.Node.start(Node.java:291) ~[graylog.jar:?]
at
org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
~[graylog.jar:?]
at
com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
[graylog.jar:?]
at
com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
[graylog.jar:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_92]
2016-07-08T10:46:03.785-05:00 ERROR [ServerBootstrap] Graylog startup
failed. Exiting. Exception was:
java.lang.IllegalStateException: Expected to be healthy after starting. The
following services are not running: {STARTING=[RestApiService [STARTING],
IndexerSetupService [STARTING]], FAILED=[WebInterfaceService [FAILED]]}
at
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713)
~[graylog.jar:?]
at
com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542)
~[graylog.jar:?]
at
com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299)
~[graylog.jar:?]
at
org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:129)
[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209)
[graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
-rw-r--r--. 1 graylog graylog 1.8K May 17 15:41 KEY.pem
-rw-r--r--. 1 graylog graylog 2.0K Jun 14 14:29 CERT.pem
--Dave C.
On Friday, July 8, 2016 at 4:40:33 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Dave,
>
> the quotes around the password shouldn't be necessary (and are, in fact,
> wrong). Could you please share the error message you've got when omitting
> these quotes?
>
> Please also post the output of the following command (it doesn't contain
> any sensitive information, just the header of the private key and
> certificate file):
>
> head -n1 /etc/graylog/graylog-ssl/CERT.pem /etc/graylog/graylog-ssl/KEY.pem
>
>
>
> Cheers,
> Jochen
>
> On Thursday, 7 July 2016 20:11:03 UTC+2, Dave C. wrote:
>>
>> Jochen,
>>
>> I ran the openssl command and it returned a single line with the text:
>> RSA key ok
>>
>> I did have some errors prior to the current ones with Graylog not being
>> able to access the key file. Those turned out to the an incorrect
>> formatting in the server.conf file, I had to put the password in quotes to
>> get passed that error.
>>
>> These are the sections of the server.conf file you asked for with the
>> private info removed:
>>
>> # Enable HTTPS support for the REST API. This secures the communication
>> with the REST API with
>> # TLS to prevent request forgery and eavesdropping. This is disabled by
>> default. Uncomment the
>> # next line to enable it.
>> rest_enable_tls = true
>>
>> # The X.509 certificate chain file in PEM format to use for securing the
>> REST API.
>> rest_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>>
>> # The PKCS#8 private key file in PEM format to use for securing the REST
>> API.
>> rest_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>>
>> # The password to unlock the private key used for securing the REST API.
>> rest_tls_key_password ="PASSWORD"
>>
>>
>> # Enable HTTPS support for the web interface. This secures the
>> communication of the web browser with the web interface
>> # using TLS to prevent request forgery and eavesdropping.
>> # This is disabled by default. Uncomment the next line to enable it and
>> see the other related configuration settings.
>> web_enable_tls = true
>>
>> # The X.509 certificate chain file in PEM format to use for securing the
>> web interface.
>> web_tls_cert_file = /etc/graylog/graylog-ssl/CERT.pem
>>
>> # The PKCS#8 private key file in PEM format to use for securing the web
>> interface.
>> web_tls_key_file = /etc/graylog/graylog-ssl/KEY.pem
>>
>> # The password to unlock the private key used for securing the web
>> interface.
>> web_tls_key_password ="PASSWORD"
>>
>> Thanks for the help.
>> --Dave C.
>>
>> On Thursday, July 7, 2016 at 3:13:12 AM UTC-5, Jochen Schalanda wrote:
>>>
>>> Hi Dave,
>>>
>>> the error message looks like the private key is in an incompatible or
>>> invalid format which Graylog can't process.
>>>
>>> Could you please share your Graylog configuration (the rest_* and web_*
>>> settings should be sufficient) and the output of the following OpenSSL
>>> command:
>>>
>>> openssl rsa -noout -check -inform pem -in /path/to/private.key
>>>
>>>
>>> Cheers,
>>> Jochen
>>>
>>> On Wednesday, 6 July 2016 21:42:47 UTC+2, [email protected] wrote:
>>>>
>>>> All,
>>>>
>>>> I have been working on setting up a test instance of Graylog 2.0 for
>>>> several weeks now and I can't seem to make any progress with implementing
>>>> SSL. I have seen a few other posts asking about converting java wallets to
>>>> the new set up of cert and key pair but that doesn't apply I have a new
>>>> cert from a CA. I am pretty sure I have the cert in the correct encoding
>>>> "X.509 certificate with PEM encoding" that the documentation
>>>> <http://docs.graylog.org/en/2.0/pages/configuration/https.html>asks
>>>> for. I can use the command "openssl x509 -in cert.pem -text -noout" to
>>>> see the contents of the cert without issue. I can get Graylog 2.0
>>>> running with no SSL and with self generated certs but when I use the certs
>>>> from the CA I keep getting the errors below in
>>>> /var/log/graylog-server/server.log when I try to start Graylog 2.0, I can
>>>> send more of the log if needed. This is installed on Oracle Linux Server
>>>> release 6.7 with Graylog 2.0, Elasticsearch, and MongoDB installed from
>>>> their respective yum repos. Any advice would be greatly appreciated, I'm
>>>> just spinning my wheels at this point.
>>>>
>>>>
>>>> 2016-07-06T14:02:42.862-05:00 ERROR [ServiceManager] Service
>>>> WebInterfaceService [FAILED] has failed in the STARTING state.
>>>> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag
>>>> = 48)
>>>> at
>>>> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
>>>>
>>>> ~[sunjce_provider.jar:1.8.0_71]
>>>> at
>>>> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
>>>>
>>>> ~[?:1.8.0_71]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>>
>>>> [graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
>>>> [graylog.jar:?]
>>>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>>> 2016-07-06T14:02:42.896-05:00 ERROR [InputSetupService] Not starting
>>>> any inputs because lifecycle is: Uninitialized [LB:DEAD]
>>>>
>>>> 2016-07-06T14:02:42.941-05:00 ERROR [ServiceManager] Service
>>>> IndexerSetupService [FAILED] has failed in the STOPPING state.
>>>> java.lang.IllegalStateException: Can't move to started state when closed
>>>> at
>>>> org.elasticsearch.common.component.Lifecycle.moveToStarted(Lifecycle.java:130)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.elasticsearch.transport.TransportService.doStart(TransportService.java:182)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:68)
>>>>
>>>> ~[graylog.jar:?]
>>>> at org.elasticsearch.node.Node.start(Node.java:278)
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.initializers.IndexerSetupService.startUp(IndexerSetupService.java:114)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>>
>>>> [graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
>>>> [graylog.jar:?]
>>>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>>>
>>>>
>>>> 2016-07-06T14:02:43.202-05:00 ERROR [ServiceManager] Service
>>>> RestApiService [FAILED] has failed in the STOPPING state.
>>>> java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag
>>>> = 48)
>>>> at
>>>> sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.util.DerInputStream.getOID(DerInputStream.java:281)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)
>>>>
>>>> ~[sunjce_provider.jar:1.8.0_71]
>>>> at
>>>> java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114)
>>>> ~[?:1.8.0_73]
>>>> at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372)
>>>> ~[?:1.8.0_73]
>>>> at
>>>> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
>>>>
>>>> ~[?:1.8.0_71]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:187)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:158)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.shared.initializers.RestApiService.startUp(RestApiService.java:65)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60)
>>>>
>>>> [graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.Callables$3.run(Callables.java:100)
>>>> [graylog.jar:?]
>>>> at java.lang.Thread.run(Thread.java:745) [?:1.8.0_73]
>>>> 2016-07-06T14:02:43.206-05:00 ERROR [ServerBootstrap] Graylog startup
>>>> failed. Exiting. Exception was:
>>>> java.lang.IllegalStateException: Expected to be healthy after starting.
>>>> The following services are not running: {STARTING=[RestApiService
>>>> [STARTING], IndexerSetupService [STARTING]], FAILED=[WebInterfaceService
>>>> [FAILED]]}
>>>> at
>>>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:713)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:542)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:299)
>>>>
>>>> ~[graylog.jar:?]
>>>> at
>>>> org.graylog2.bootstrap.ServerBootstrap.startCommand(ServerBootstrap.java:129)
>>>>
>>>> [graylog.jar:?]
>>>> at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:209)
>>>> [graylog.jar:?]
>>>> at org.graylog2.bootstrap.Main.main(Main.java:44)
>>>> [graylog.jar:?]
>>>>
>>>>
>>>> --Dave C.
>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/25490aac-c0a9-4246-9d8b-2a63e033b00c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
