drewmiranda-gl
commented
1 week ago Great writeup above with lots of detail. Also glad that article was useful :)
I do think there is room for improvement and personally i would love to see this managed via the UI. I'm not sure this qualifies as a bug unfortunately since it is working as designed. I'll defer to the people who will triage the issue to determine if a feature req should be opened in its place.
Expected Behavior
Graylog should use the system certificate storage to allow for easy and general certificate and CA management.
Current Behavior
By default it seems that graylog is not using any trustore for certificates on the default setup on ubuntu (I guess it's the same also on debian and redhat) To be able to use LDAPs on a local windows domain I am retrieving the ssl certificates and adding them in /usr/local/share/ca-certificates/ Then, you do sudo update-ca-certificates and the system certifcate storage adds those certificates both to the common cert directory (under /etc/ssl/certs/) and into the system java trustore at /etc/ssl/certs/java/cacerts Unfortunately graylog does not use neither of them
Possible Solution
On the file **/etc/default/graylog-server I changed the line
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true"To
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts"And then restarted graylog, after this I can check the verify certificate
Context
This issues makes more difficult to setup LDAPs for authentication, and Microsoft it trying to deprecate non ssl ldap.
Your Environment
Some notes about the java flags where taken from here