[graylog2] Re: Web Interface Certificate differences from v1 and v2
It looks like v2 is now fully released. Any idea on how I can get this working? Is it a bug? On Friday, April 15, 2016 at 7:43:32 AM UTC-5, Drew Miranda wrote: > > I tested removing the extra characters before BEGIN > > This STILL did not help. I'm at a loss. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2c0a1a13-eb63-4835-9c3d-c318a67ebcda%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Web Interface Certificate differences from v1 and v2
I tested removing the extra characters before BEGIN This STILL did not help. I'm at a loss. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/61387b09-dc0d-49ea-85b6-c3113db982e7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Web Interface Certificate differences from v1 and v2
Okay, quick update, I did some quick searching and found this, https://community.oracle.com/thread/1534464?start=0 which sounds exactly like the issue. My cert chain file does have extra characters in it. I'll test this tomorrow. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6ac83424-cea8-43b9-a0d9-5ed507cbb10f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Web Interface Certificate differences from v1 and v2
Thanks for that command. So I'm able to extract my private key from the original Java keysyore (because this is where the original private key was created) and convert it to p12 and then pkcs8. I can verify the key is ASCII readable and is encoded and passes checked when viewing via openssl. However, I'm still confused about the public cert. I think the documentation is saying I need a x.509 pkcs8 cert but there seems to be a contradiction. Anything that I can find and all commands that generate a valid pkcs8 cert only seem to contain the private key. If I just out an ASCII readable pem of the base 64 certificate chain, to me, that appears to be the closest I can get. So anyways, this is all to say I have what I think are the correct cert and key yet I'm still getting that same error. I've probably spent about 4 hours testing and reading up on x.509. Any help? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/379f4269-8050-4064-b83c-8e73eadaa939%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Web Interface Certificate differences from v1 and v2
I used this format to convert existing keys, seems to work ok. openssl pkcs8 -nocrypt -topk8 -in /etc/pki/tls/private/graylog-server.key -out /etc/pki/tls/private/graylog-server.pk8 On Wednesday, April 13, 2016 at 4:13:15 AM UTC+10, Drew Miranda wrote: > > Any quick tips on the command to use with openssl to output the correct > format? I found enough documentation to interchange formats but an unclear > on the exact switches. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/48785793-d445-46a1-89e7-e0c5f124d30e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Web Interface Certificate differences from v1 and v2
Any quick tips on the command to use with openssl to output the correct format? I found enough documentation to interchange formats but an unclear on the exact switches. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/55289179-a870-4ee6-b5dd-cf0fc1851ec0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Web Interface Certificate differences from v1 and v2
Hi Drew, you're right, the migration path from Graylog 1.x to 2.x isn't very clearly documented yet. We'll eventually fix that once Graylog 2.0.0 has been released. The private key has to be in PKCS#8 format stored as PEM (not DER). The X.509 certificate has also be to be stored in PEM format. Cheers, Jochen On Tuesday, 12 April 2016 16:27:10 UTC+2, Drew Miranda wrote: > > Hi all, has anyone had any success converting their TLS ceritificates for > graylog web from versions 1 (e.g. 1.3.x) to version 2 of graylog? > > Maybe I'm just not getting it, but I'm having trouble figuring out EXACTLY > what file format the certificate needs to be in. > > Previously with v1.x web interface it used a javakeystore. HOWEVER, this > is no longer in use and the upgrade path is not clear. > > I found some documentation that talks about exporting keys from the > keystore but the terminilogy is very inconsistent depending on the > webpage/documentation. > > I got as far as exporting the "private key" > (no clue if this is the correct format) > keytool -importkeystore -srckeystore graylog2.keystore -destkeystore > new-store.p12 -deststoretype PKCS12 > openssl pkcs12 -info -in new-store.p12 > openssl pkcs12 -in new-store.p12 -nocerts -out gl2web_privateKey.pem > > to produce supposedly what the documentation for graylog claims it needs, > > I do something similar for the public key > keytool -export -keystore graylog2.keystore -alias graylog2key -file > Example.cer > openssl x509 -in Example.cer -inform der -text -noout > openssl x509 -inform der -in Example.cer -out gl2web_publickey.pem > > I get this error > > I end up with this error which is vague, but I think tells me my > certificate configuration is useless. > > 2016-04-12 10:06:27,503 ERROR: > com.google.common.util.concurrent.ServiceManager - Service > WebInterfaceService [FAILED] has failed in the STARTING state. > java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = > 48) > at > sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253) > ~[?:1.8.0_77] > at > sun.security.util.DerInputStream.getOID(DerInputStream.java:281) > ~[?:1.8.0_77] > at > com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) > ~[sunjce_provider.jar:1.8.0_77] > at > java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) > ~[?:1.8.0_77] > at > sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) > ~[?:1.8.0_77] > at sun.security.x509.AlgorithmId.(AlgorithmId.java:114) > ~[?:1.8.0_77] > at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) > ~[?:1.8.0_77] > at > javax.crypto.EncryptedPrivateKeyInfo.(EncryptedPrivateKeyInfo.java:95) > ~[?:1.8.0_77] > at > org.graylog2.shared.security.tls.PemKeyStore.generateKeySpec(PemKeyStore.java:69) > > ~[graylog.jar:?] > at > org.graylog2.shared.security.tls.PemKeyStore.buildKeyStore(PemKeyStore.java:96) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.buildSslEngineConfigurator(AbstractJerseyService.java:185) > > ~[graylog.jar:?] > at > org.graylog2.shared.initializers.AbstractJerseyService.setUp(AbstractJerseyService.java:156) > > ~[graylog.jar:?] > at > org.graylog2.initializers.WebInterfaceService.startUp(WebInterfaceService.java:46) > > ~[graylog.jar:?] > at > com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:60) > > [graylog.jar:?] > at > com.google.common.util.concurrent.Callables$3.run(Callables.java:100) > [graylog.jar:?] > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_77] > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/50c4cc51-e01a-43df-b86a-829840d8c5db%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.