Description
Expected Behavior
Graylog should use the system certificate storage to allow for easy and general certificate and CA management.
Current Behavior
By default it seems that graylog is not using any trustore for certificates on the default setup on ubuntu (I guess it's the same also on debian and redhat)
To be able to use LDAPs on a local windows domain I am retrieving the ssl certificates and adding them in /usr/local/share/ca-certificates/
Then, you do sudo update-ca-certificates and the system certifcate storage adds those certificates both to the common cert directory (under /etc/ssl/certs/) and into the system java trustore at /etc/ssl/certs/java/cacerts
Unfortunately graylog does not use neither of them
Possible Solution
On the file **/etc/default/graylog-server I changed the line
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true"
To
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts"
And then restarted graylog, after this I can check the verify certificate
Context
This issues makes more difficult to setup LDAPs for authentication, and Microsoft it trying to deprecate non ssl ldap.
Your Environment
- Graylog Version: 6.0.3-1
- Java Version: 11.0.23+9-1ubuntu1~22.04.1
- OpenSearch Version: 2.12.0
- MongoDB Version: 6.0.15
- Operating System: ubuntu 22.04
- Browser version:
Some notes about the java flags where taken from here
Activity