fix: root ca not being properly split/detected

Author: monrax

README.md

@@ -240,7 +240,7 @@ The inputs should now be exposed. Make sure to complete their configuration thro
 ### Enable TLS
 
 Before you can enable TLS, you must associate a DNS name with your Graylog installation.
-More specifically, it should point to the IP address/hostname associated the service used for [External Acess](#set-external-access).
+More specifically, your domain should point to the IP address/hostname associated the service used for [External Acess](#set-external-access).
 You may retrieve this information like this:
 
 ```sh
@@ -251,7 +251,7 @@ kubectl get svc $SERVICE_NAME -n graylog
 With `SERVICE_NAME` being equal to the name of the service exposed by your ingress controller, if you're using one, or
 `graylog-svc` otherwise.
 
-Depending on your setup, TLS can be enabled in three different ways
+Depending on your setup, TLS can be enabled in three different ways:
 
 #### Bring Your Own Certificate: Ingress Controller (recommended)
 
@@ -331,6 +331,9 @@ Enable TLS for your Graylog nodes, referencing the Kubernetes secret:
 ```sh
 helm upgrade graylog ./graylog -n graylog --reuse-values --set graylog.config.tls.enabled=true --set  graylog.config.tls.secretName="my-cert" --set graylog.config.tls.updateKeyStore=true
 ```
+The default set of trusted Certificate Authorities bundled in the Java Runtime for Java 17 is aligned with major,
+well-known public root CAs. Make sure to set `graylog.config.tls.updateKeyStore` to `true` if you are using a
+self-signed certificate, or if you think the CA that signed your certificate might not be among this default set.
 
 ### Enable Geolocation
 ```sh

graylog/templates/config/init-graylog.yaml

@@ -24,14 +24,14 @@ data:
     {{- if .Values.graylog.config.tls.updateKeyStore}}
       # check if root CA is in cert file
       openssl crl2pkcs7 -nocrl -certfile "/mnt/tls/tls.crt" | openssl pkcs7 -print_certs -outform PEM | awk -v out="cert" '
-      /-----BEGIN CERTIFICATE-----/ {n++; f=sprintf("%s-%03d.pem", out, n)}
-      {print > f}
-      /-----END CERTIFICATE-----/ {close(f)}
+      /-----BEGIN CERTIFICATE-----/ {n++; f=sprintf("%s-%03d.pem", out, n); writing=1}
+      writing {print > f}
+      /-----END CERTIFICATE-----/ {close(f); writing=0}
       '
       ROOT_CA=""
       for f in cert-*.pem; do
-        subj="$(openssl x509 -in "$f" -noout -subject -nameopt RFC2253 | sed "s/^subject= //")"
-        issu="$(openssl x509 -in "$f" -noout -issuer  -nameopt RFC2253 | sed "s/^issuer= //")"
+        subj="$(openssl x509 -in "$f" -noout -subject -nameopt RFC2253 | sed "s/^subject=//")"
+        issu="$(openssl x509 -in "$f" -noout -issuer  -nameopt RFC2253 | sed "s/^issuer=//")"
         if [ "$subj" = "$issu" ]; then
           ROOT_CA="root-ca.pem"
           cp "$f" "${ROOT_CA}"
@@ -50,7 +50,7 @@ data:
       cp "${JAVA_HOME_LOCAL}/lib/security/cacerts" "${CACERTS_SRC}/graylog.jks"
       chown graylog:graylog "${CACERTS_SRC}/graylog.jks"
       keytool -importcert -noprompt -alias byoc -file "/mnt/tls/tls.crt" -keystore "${CACERTS_SRC}/graylog.jks" -storepass {{ .Values.graylog.config.tls.keyStorePass | default "changeit" }}
-      [ -n "${ROOT_CA}" ] && keytool -importcert -noprompt -alias byoc-ca -file "${ROOT_CA}" -keystore "${CACERTS_SRC}/graylog.jks" -storepass {{ .Values.graylog.config.tls.keyStorePass | default "changeit" }}
+      [ -n "${ROOT_CA}" ] && echo "Adding root CA..." && keytool -importcert -noprompt -alias byoc-ca -file "${ROOT_CA}" -keystore "${CACERTS_SRC}/graylog.jks" -storepass {{ .Values.graylog.config.tls.keyStorePass | default "changeit" }}
       if [ ! -e "${CACERTS_DST}/graylog.jks" ] || ! cmp -s "${CACERTS_SRC}/graylog.jks" "${CACERTS_DST}/graylog.jks"; then
         cp "${CACERTS_SRC}/graylog.jks" "${CACERTS_DST}/graylog.jks"
         echo "Updated Java Key Store."