Graylog-web pretends to be listening for HTTPS but it's not true

[varnav]

I've edited /usr/share/graylog-web/bin/graylog-web to look like:

JAVA_OPTS="$JAVA_OPTS -Dhttps.address=$GRAYLOG_WEB_HTTP_ADDRESS"
JAVA_OPTS="$JAVA_OPTS -Dhttps.port=$GRAYLOG_WEB_HTTP_PORT"
JAVA_OPTS="$JAVA_OPTS -Dhttp.port=disabled"

this is supposed to switch it from HTTP to HTTPS mode.

After starting it I see in the log:

Listening for HTTPS on port /0:0:0:0:0:0:0:0:9000
Using generated key with self signed certificate for HTTPS. This should not be used in production.

Generating HTTPS key pair in /usr/share/graylog-web/conf/generated.keystore - this may take some time. If nothing happens, try moving the mouse/typing on the keyboard to generate some entropy.

2016-03-04T08:41:24.748+03:00 - [ERROR] - from play in New I/O server boss #18
cannot load SSL context
...
Caused by: java.io.FileNotFoundException: /usr/share/graylog-web/conf/generated.keystore (Permission denied)

In fact it still is using HTTP, and /usr/share/graylog-web/conf/generated.keystore does not exist.

[joschi]

@varnav Make sure that the user running graylog-web is allowed to write into /usr/share/graylog-web/ or provide a proper Java Keystore containing your private key and certificate in the first place (recommended).

Also see https://www.playframework.com/documentation/2.3.x/ConfiguringHttps

[varnav]

Thanks, it was the permissions problem. But more important that:

1. Log messages were not true. It was not listening for HTTPS.
2. -Dhttp.port=disabled was set, but HTTP was not actually disabled
3. No error messages that keypair generation has failed.
4. Docs do not mention permission change.

P.S. Will HTTPS be turned on by default in future versions?

[joschi]

@varnav That log message was generated by the Play Framework, not much we can do about that. This being said, this is the legacy web interface and will be completely replaced in Graylog 2.0.0.

Will HTTPS be turned on by default in future versions?

No.