TLS Client Auth Trusted Certs (Directory) doesn't work anymore - Graylog 3.0.1

[chrismanynames]

If u want to use a directory with provided certificates to secure your inputs you just get an Error message (java.security.cert.CertificateException: java.io.IOException: Is a directory).

Expected Behavior

Accept all client certificates provided in the specified directory (e.g. /etc/graylog/server/trusted_clients).

"openssl s_client -connect myserver:myport -showcerts" should return something like:

Acceptable client certifice CA names
/C=my country/O=my O/OU=my OU/CN=myclient76.host.myserver.com
/C=my country/O=my O/OU=my OU/CN=myclient77.host.myserver.com
/C=my country/O=my O/OU=my OU/CN=myclient50.host.myserver.com
/C=my country/O=my O/OU=my OU/CN=myclient51.host.myserver.com

Current Behavior

"openssl s_client -connect myserver:myport -showcerts" returns:

no peer certificate available

In the Graylog server.log:

WARN [ChannelInitializer] Failed to initialize a channel. Closing: [id: MyID, L:/IP:Port - R:/IP:Port]
java.security.cert.CertificateException: java.io.IOException: Is a directory

Possible Solution

My current workaround is putting all Client Certificates in a single file instead of a directory.

Steps to Reproduce (for bugs)

1. create an input
2. enable TLS
3. set "TLS Client Auth Trusted Certs" to a directory
4. send in Logs or run "openssl s_client -connect myserver:myport -showcerts" (works with tcp inputs) local on the graylog Server
5. check the graylog server.log

Context

This feature is working well in Graylog 2.5.1 would be nice to have it in V3 too.
Btw. thanks for your great work.

Your Environment

• Graylog Version: 3.0.1
• Elasticsearch Version: 6.5.4-1
• MongoDB Version: 3.6.1
• Operating System: RHEL 7.6
• Browser version: Firefox 60.6.1 esr

[mpfz0r]

Closing this in favor of dup #5939
Fix is in progress..