Default to use system jks on debian/ubuntu/redhat

[aseques]

Expected Behavior

Graylog should use the system certificate storage to allow for easy and general certificate and CA management.

Current Behavior

By default it seems that graylog is not using any trustore for certificates on the default setup on ubuntu (I guess it's the same also on debian and redhat)
To be able to use LDAPs on a local windows domain I am retrieving the ssl certificates and adding them in /usr/local/share/ca-certificates/
Then, you do sudo update-ca-certificates and the system certifcate storage adds those certificates both to the common cert directory (under /etc/ssl/certs/) and into the system java trustore at /etc/ssl/certs/java/cacerts
Unfortunately graylog does not use neither of them

Possible Solution

On the file **/etc/default/graylog-server I changed the line

GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true"

To
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts"

And then restarted graylog, after this I can check the verify certificate

Context

This issues makes more difficult to setup LDAPs for authentication, and Microsoft it trying to deprecate non ssl ldap.

Your Environment

• Graylog Version: 6.0.3-1
• Java Version: 11.0.23+9-1ubuntu1~22.04.1
• OpenSearch Version: 2.12.0
• MongoDB Version: 6.0.15
• Operating System: ubuntu 22.04
• Browser version:

Some notes about the java flags where taken from here

[drewmiranda-gl]

Great writeup above with lots of detail. Also glad that article was useful :)

I do think there is room for improvement and personally i would love to see this managed via the UI. I'm not sure this qualifies as a bug unfortunately since it is working as designed. I'll defer to the people who will triage the issue to determine if a feature req should be opened in its place.