Activating TSL for Influxdb: Unclear doc + ssl version?

InfluxDB 2
1

Hey, I’m using Ubuntu 20.04 on a Raspi:

I followed the documentation on enabling TSL encryption.

At first I followed all the points (1-3). Here I went on:

influxd \
--tls-cert="<path-to-crt>" \
--tls-key="<path-to-key>"

TSL wasn’t activated via that. The following message appeared:

error failed http listener {“log_id”: “0WPPR9r0000”, “error”: “listen tcp :8086: bind: address already in use”}

So I tried to stop the influxd service first and try it again:

influxd --tls-cert=”/etc/ssl/influxdb-selfsigned.crt” --tls-key=”/etc/ssl/influxdb-selfsigned.key”

I got the following messages:

error failed to load x509 key pair {“log_id”: “0WPWXznG000”, “error”: “open ”/etc/ssl/influxdb-selfsigned.crt”: no such file or directory”}

I removed the hyphn (maybe the doc is confusing here). That fixed the error above. Now the next thing appeared:

error failed to load x509 key pair {“log_id”: “0WPXHq8l000”, “error”: “open /etc/ssl/influxdb-selfsigned.key: permission denied”}

So I ran it with sudo:
Idk why though, since the file permissions were set according to the documentation.

sudo influxd --tls-cert=/etc/ssl/influxdb-selfsigned.crt --tls-key=/etc/ssl/influxdb-selfsigned.key

influxd seems to start and stays at the following line:

info Listening {“log_id”: “0WPXPDeG000”, “transport”: “https”, “addr”: “:8086”, “port”: 8086}

ssl seemed to work now. I stopped via Ctrl+C and assumed that SSL would have been correctly configured. Therefore I restarted the service and ran the line to check like the documentation suggested:

~$ curl -vk https://localhost:8086/api/v2/ping
Trying 127.0.0.1:8086…
TCP_NODELAY set
Connected to localhost (127.0.0.1) port 8086 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.3 (OUT), TLS handshake, Client hello (1):
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Now I assume that ssl is fine, however curl uses a wrong version number for this.? Or do I have to adjust influxd to a minimum tsl-min-version like the documentation suggests?

I found a Stackoverflow entry to this issue, however I’m not quite sure what to do.

2

Fix here:

I added the following 2 lines to the config file ( /etc/influxdb/config.toml)

tls-cert = “/etc/ssl/influxdb-selfsigned.crt”
tls-key = “/etc/ssl/influxdb-selfsigned.key”

Furthermore I had to change the file permissions of the .crt and .key file).
I changed them via sudo chmod 0777 /etc/ssl/influxdb-selfsigned.crt
Same for the .key file.

Afterwards the server started and I had access to the stored database.