search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.33k stars 1.05k forks source link

Use a different location for auto-generated self-signed certificates #1594

Open kroepke opened 8 years ago

kroepke commented 8 years ago

This is an issue if using self-signed certs for inputs. The files apparently end up in /tmp which can be a problem if some job cleans old files on some distributions.

2015-11-30T14:17:43.726+01:00 WARN [AbstractNioSelector] Failed to initialize an accepted socket. java.io.FileNotFoundException: /tmp/keyutil_0.0.0.0:null_4781007538124841383.crt (No such file or directory) at java.io.FileInputStream.open0(Native Method) at java.io.FileInputStream.open(FileInputStream.java:195) at java.io.FileInputStream.<init>(FileInputStream.java:138) at org.graylog2.plugin.inputs.transports.util.KeyUtil.initKeyStore(KeyUtil.java:116) at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:194) at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:175) at
 org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:171) at 
org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:116) at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) at
 org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) at 
org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) at 
org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) at 
org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at 
org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at 
java.lang.Thread.run(Thread.java:745)
kroepke commented 8 years ago

A workaround is to set java.io.tmpdir to something that isn't cleaned.

joschi commented 8 years ago

IMHO the generated private key and certificate should only be used for demonstration purposes but not in a production environment, so I'd tend to not fix this issue but make it clear in the documentation.

kenshin33 commented 8 years ago

what joschi said. As Iwas using self signed cetificates (ones I generated). After setting TLS inputs in graylog2-web, the server at the other end didn't complain lound enough when it didn't actually find the keys/certs. it almost silently generated a bunch of them in /tmp and went on it's merry way. If the key size and the names (I set up a CA for other purposes) in the certs weren't ok I woudn't have noticed at all

kroepke commented 8 years ago

related to #2054