Closed onedaywillcome1 closed 8 years ago
I saw similar problem in post [https://github.com/Graylog2/graylog2-server/issues/2186], tried to add my openssl x509 pem file into jdk keytool as below, but still getting "Unable to calll" warning messages in graylog log file :
jdk1.8.0_66/bin/keytool -trustcacerts -keystore cacerts -storepass changeit -noprompt -importcert -file /etc/graylog/server/x509key.pem
Logs:
2016-05-05T13:38:02.534Z WARN [ProxiedResource] Unable to call http://10.0.26.10:12900/system/metrics/multiple on node <fea7225f-ff92-4cd7-ac17-2adffb9d2c61>, caught exception: unexpected end of stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
2016-05-05T13:38:03.627Z WARN [ProxiedResource] Unable to call http://10.0.26.10:12900/system/metrics/multiple on node <fea7225f-ff92-4cd7-ac17-2adffb9d2c61>, caught exception: unexpected end of stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
2016-05-05T13:38:03.685Z WARN [ProxiedResource] Unable to call http://10.0.26.10:12900/system/metrics/multiple on node <fea7225f-ff92-4cd7-ac17-2adffb9d2c61>, caught exception: unexpected end of stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
2016-05-05T13:38:04.836Z WARN [ProxiedResource] Unable to call http://10.0.26.10:12900/system/metrics/multiple on node <fea7225f-ff92-4cd7-ac17-2adffb9d2c61>, caught exception: unexpected end of stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
2016-05-05T13:38:04.940Z WARN [ProxiedResource] Unable to call http://10.0.26.10:12900/system/metrics/multiple on node <fea7225f-ff92-4cd7-ac17-2adffb9d2c61>, caught exception: unexpected end of stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
2016-05-05T13:38:05.073Z WARN [ProxiedResource] Unable to call http://10.0.26.10:12900/system/metrics/multiple on node <fea7225f-ff92-4cd7-ac17-2adffb9d2c61>, caught exception: unexpected end of stream on okhttp3.Address@2b5fd040 (class java.io.IOException)
.
.
What happens when you try to get http://10.0.26.10:12900/system/metrics/multiple
using valid credentials from the Graylog server machine you are connecting against with the web interface?
@dennisoelkers
http://10.0.26.10:12900/system/metrics/multiple
is not reachable. But, when I try to get https://10.0.26.10:12900/system/metrics/multiple
It gives following message:
{"type":"ApiError","message":"HTTP 405 Method Not Allowed"}
I noticed that, I am not starting input after creating it via https in addition to getting warning messages. Web UI gives a following error:
Input 'GELF TCP' could not be started Request to start input 'GELF TCP' failed. Check your Graylog logs for more information.
By the way, I tried to reach http://10.0.26.10:12900/system/metrics/multiple
when I disable https features in graylog config. But, I am still getting following message:
{"type":"ApiError","message":"HTTP 405 Method Not Allowed"}
I enabled rest_transport_uri and disabled web_endpoint_uri in graylog config. I am still getting warning messages. But, this time warning messages changed.
Graylog config:
rest_listen_uri = https://0.0.0.0:12900/
rest_transport_uri = https://<public-ip>:12900
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/server/x509key.pem
rest_tls_key_file = /etc/graylog/server/pkc8key.pem
web_listen_uri = https://0.0.0.0:9000/
#web_endpoint_uri = https://<public-ip>:12900 (Commented)
web_enable_tls = true
web_tls_cert_file = /etc/graylog/server/x509key.pem
web_tls_key_file = /etc/graylog/server/pkc8key.pem
Warning messages
2016-05-09T11:09:29.838Z WARN [ProxiedResource] Unable to call https://10.0.26.10:12900/system/metrics/multiple on node <78638bca-cc35-45b6-96f3-89c5e8cde52b>, caught exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (class javax.net.ssl.SSLHandshakeException)
2016-05-09T11:09:30.008Z WARN [ProxiedResource] Unable to call https://10.0.26.10:12900/system/metrics/multiple on node <78638bca-cc35-45b6-96f3-89c5e8cde52b>, caught exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (class javax.net.ssl.SSLHandshakeException)
2016-05-09T11:09:31.971Z WARN [ProxiedResource] Unable to call https://10.0.26.10:12900/system/metrics/multiple on node <78638bca-cc35-45b6-96f3-89c5e8cde52b>, caught exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (class javax.net.ssl.SSLHandshakeException)
2016-05-09T11:09:34.416Z WARN [ProxiedResource] Unable to call https://10.0.26.10:12900/system/inputstates on node <78638bca-cc35-45b6-96f3-89c5e8cde52b>, caught exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (class javax.net.ssl.SSLHandshakeException)
2016-05-09T11:09:34.979Z WARN [ProxiedResource] Unable to call https://10.0.26.10:12900/system/metrics/multiple on node <78638bca-cc35-45b6-96f3-89c5e8cde52b>, caught exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (class javax.net.ssl.SSLHandshakeException)
2016-05-09T11:09:36.002Z WARN [ProxiedResource] Unable to call https://10.0.26.10:12900/system/inputstates on node <78638bca-cc35-45b6-96f3-89c5e8cde52b>, caught exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (class javax.net.ssl.SSLHandshakeException)
When I try to get https://10.0.26.10:12900/system/inputstates
in web browser, I get following message:
{"states":[{"id":"572c93c3a6c2e4014d9c0f11","state":"RUNNING","started_at":"2016-05-09T11:09:23.240Z","detailed_message":null,"message_input":{"title":"GELF TCP","global":false,"name":"GELF TCP","content_pack":null,"created_at":"2016-05-06T12:53:23.382Z","type":"org.graylog2.inputs.gelf.tcp.GELFTCPInput","creator_user_id":"admin","attributes":{"recv_buffer_size":1048576,"tcp_keepalive":false,"use_null_delimiter":true,"tls_client_auth_cert_file":"","bind_address":"0.0.0.0","tls_cert_file":"","port":12201,"tls_key_file":"","tls_enable":false,"tls_key_password":"","max_message_size":2097152,"tls_client_auth":"disabled","override_source":null},"static_fields":{},"node":"78638bca-cc35-45b6-96f3-89c5e8cde52b","id":"572c93c3a6c2e4014d9c0f11"}}]}
When I try to get https://10.0.26.10:12900/system/metrics/multiple
{"type":"ApiError","message":"HTTP 405 Method Not Allowed"}
I tried to import my x509key.pem into keytool by following command and restarted graylog-server, but still getting above warning messages:
[ec2-user@ip-10-0-26-10 bin]$ sudo /jdk1.8.0_66/jre/bin/keytool -trustcacerts -keystore ~/jdk1.8.0_66/jre/lib/security/cacerts -storepass changeit -alias tomcat7 -noprompt -importcert -file /etc/graylog/server/x509key.pem
[ec2-user@ip-10-0-26-10 bin]$ /jdk1.8.0_66/jre/bin/keytool -list -keystore ~/jdk1.8.0_66/jre/lib/security/cacerts
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat7, May 9, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): C2:D3:0C:11:AB:50:EE:18:1D:D8:78:88:1D:7B:1D:3D:AC:E7:D0:BB
tomcat5, May 6, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): C2:D3:0C:11:AB:50:EE:18:1D:D8:78:88:1D:7B:1D:3D:AC:E7:D0:BB
mykey, May 6, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): C2:D3:0C:11:AB:50:EE:18:1D:D8:78:88:1D:7B:1D:3D:AC:E7:D0:BB
Configuring rest_transport_uri
is correct, but you still need to configure web_endpoint_uri
if you set web_listen_uri
to 0.0.0.0
. The remaining error (sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (class javax.net.ssl.SSLHandshakeException)
) means that you Graylog server does not trust the certificate of the Graylog server it connects to (even if it connects back to itself). Therefore make sure you have added the correct certificate (preferably the CA cert) to the correct keystore used by the Graylog server.
As this is not a bug in the Graylog server, I will close this issue now. If you need additional help, please use the Graylog mailing list (see https://www.graylog.org/community-support).
Problem description
I installed graylog 2.0.0 in my Amazon Instance and reached web dashboard via http. Everything was Ok. Then, for security reasons, I enabled https feature in graylog config. I again successfully reached web dashboard via https. However, after clicking signin button, I noticed that in every seconds, warning message is coming to log file. I didnt understand which problem causes to that problem. Here is my graylog config:
I created my certificates as follow:
Here is my log file:
Environment