Initial setup unable to provision certificates for data nodes when password pepper for graylog and datanode service in docker-compose file are different

[Hyperadministrator]

Expected Behavior

When using the docker-compose template provided from the docs here I expect the password peppers (GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET) should be different and with such settings the initial setup with creating new CA and provisioning certificates for data nodes should succeed.

Current Behavior

When providing different password peppers for datanode and graylog services the Provision certificates for your data nodes part from initial setup in web browser won't succeed and docker logs for graylog service show the following error repeatedly:

2025-02-02 15:10:45,770 ERROR: org.graylog2.cluster.certificates.CertificateExchangeImpl - Failed to sign CSR for node, skipping it for now.
java.lang.RuntimeException: java.lang.NullPointerException: Cannot invoke "org.bouncycastle.pkcs.PKCS10CertificationRequest.getSubject()" because the return value of "org.graylog2.cluster.certificates.CertificateSigningRequest.request()" is null
	at org.graylog.security.certutil.CaKeystore.signCertificateRequest(CaKeystore.java:75) ~[graylog.jar:?]
	at org.graylog2.bootstrap.preflight.GraylogCertificateProvisionerImpl.lambda$runProvisioning$0(GraylogCertificateProvisionerImpl.java:61) ~[graylog.jar:?]
	at org.graylog2.cluster.certificates.CertificateExchangeImpl.signPendingCertificateRequests(CertificateExchangeImpl.java:102) [graylog.jar:?]
	at org.graylog2.bootstrap.preflight.GraylogCertificateProvisionerImpl.runProvisioning(GraylogCertificateProvisionerImpl.java:61) [graylog.jar:?]
	at org.graylog2.bootstrap.preflight.GraylogCertificateProvisioningPeriodical.doRun(GraylogCertificateProvisioningPeriodical.java:40) [graylog.jar:?]
	at org.graylog2.plugin.periodical.Periodical.run(Periodical.java:99) [graylog.jar:?]
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?]
	at java.base/java.util.concurrent.FutureTask.runAndReset(Unknown Source) [?:?]
	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) [?:?]
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
	at java.base/java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.lang.NullPointerException: Cannot invoke "org.bouncycastle.pkcs.PKCS10CertificationRequest.getSubject()" because the return value of "org.graylog2.cluster.certificates.CertificateSigningRequest.request()" is null
	at org.graylog.security.certutil.CaKeystore.signCertificateRequest(CaKeystore.java:67) ~[graylog.jar:?]
	... 11 more

Possible Solution

Might be also I misinterpret something from the docs but I don't have any suggestions for the fix at the moment.

Steps to Reproduce (for bugs)

1. Use the docker-compose template from the docs
2. Change the GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET and give them different values
3. Run docker compose up
4. Perform initial steps in the web browser initial setup wizard until the Provision certificates for your data nodes part (included)
5. Check the graylog container logs for the error message

Context

Was trying to setup the server the first time.

Your Environment

Docker-compose set of Graylog v6.1 was used so everything that is included there.

• Graylog Version: 6.1 (from docker image)
• Java Version: nil
• OpenSearch Version: nil
• MongoDB Version: 6.0.18 from docker-compose set
• Operating System: Ubuntu 24.04.1 LTS
• Browser version: Version 132.0.6834.159 (Official Build) (64-bit)

[janheise]

@Hyperadministrator Hi, it's actually the opposite: it has to be the same and after browsing the docs you linked to, I'm surprised it's not stated there. Because we do state this in other areas.
I'm removing the bug-label and add the documentation label instead so that we improve it.

[drewmiranda-gl]

Possible to get this merged to help with confusion? Graylog2/docker-compose#82

edit: it has been merged :)