New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Input is starting although generating TLS cert fails #2054

Closed
dennisoelkers opened this Issue Apr 12, 2016 · 1 comment

Comments

Projects
None yet
3 participants
@dennisoelkers
Member

dennisoelkers commented Apr 12, 2016

Problem description

When an input is configured to use TLS and no cert/key is given, it tries to generate one when it's started. Even if this fails, the input is started anyway, but without TLS.

Relevant snippet from the server log:

2016-04-12 11:35:28,123 WARN : org.graylog2.plugin.inputs.transports.AbstractTcpTransport - TLS key file or certificate file does not exist, creating a self-signed certificate for input [Syslog TCP/570cbcaae38726ad8b069d9a].
2016-04-12 11:35:28,125 INFO : org.graylog2.inputs.InputStateListener - Input [Syslog TCP/570cbcaae38726ad8b069d9a] is now STARTING
2016-04-12 11:35:28,180 ERROR: org.graylog2.plugin.inputs.transports.AbstractTcpTransport - Problem creating a self-signed certificate for input [Syslog TCP/570cbcaae38726ad8b069d9a].
java.security.cert.CertificateException: No provider succeeded to generate a self-signed certificate. See debug log for the root cause.
    at org.jboss.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:115) ~[graylog2-server-2.0.0-beta.3-SNAPSHOT-shaded.jar:?]
    at org.jboss.netty.handler.ssl.util.SelfSignedCertificate.<init>(SelfSignedCertificate.java:82) ~[graylog2-server-2.0.0-beta.3-SNAPSHOT-shaded.jar:?]
    at org.graylog2.plugin.inputs.transports.AbstractTcpTransport.getBaseChannelHandlers(AbstractTcpTransport.java:146) [graylog2-server-2.0.0-beta.3-SNAPSHOT-shaded.jar:?]
    at org.graylog2.plugin.inputs.transports.NettyTransport.launch(NettyTransport.java:124) [graylog2-server-2.0.0-beta.3-SNAPSHOT-shaded.jar:?]
    at org.graylog2.plugin.inputs.MessageInput.launch(MessageInput.java:153) [graylog2-server-2.0.0-beta.3-SNAPSHOT-shaded.jar:?]
    at org.graylog2.shared.inputs.InputLauncher$1.run(InputLauncher.java:84) [graylog2-server-2.0.0-beta.3-SNAPSHOT-shaded.jar:?]
    at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog2-server-2.0.0-beta.3-SNAPSHOT-shaded.jar:?]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_31]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_31]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_31]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_31]
    at java.lang.Thread.run(Thread.java:745) [?:1.8.0_31]
2016-04-12 11:35:28,184 INFO : org.graylog2.inputs.InputStateListener - Input [Syslog TCP/570cbcaae38726ad8b069d9a] is now RUNNING

Steps to reproduce the problem

  1. Make sure that the JDK's tmpdir is not writable (for example by specifying -Djava.io.tmpdir=... and removing the dir after startup)
  2. Create a tcp-based input and enable tls, but do not pass a cert/key path

Environment

  • Graylog Version: 2.0.0-beta.3-SNAPSHOT
  • Elasticsearch Version:
  • MongoDB Version:
  • Operating System:
  • Browser version:

@dennisoelkers dennisoelkers added this to the 2.0.0 milestone Apr 12, 2016

@kroepke kroepke added S2 P2 labels Apr 18, 2016

@kroepke

This comment has been minimized.

Member

kroepke commented Apr 18, 2016

It's probably best if the input refuses to start in this case, rather than ad-hoc fixing the path issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment