Configure Chronograf to use SSL

chronograf
#1

Greetings,

I am a newbie to the TICK stack. I am trying to configure Chronograf to use SSL. I have already configured influxdb to use SSL and I was able to confirm that it’s work by accessing the influx CLI and I configured the Telegraf as well.
I found this link that details how to configure Chronograf to use (https://docs.influxdata.com/chronograf/v1.3/administration/security-best-practices/#tls).
I ran this command “TLS_CERTIFICATE=/etc/ssl/cert.pem TLS_PRIVATE_KEY=/etc/ssl/cert.key Chronograf” and was able to access the chronnograf site using https. but the issue that I am running into is, once I exit the Chronnograf CLI the service stops and I cannot access the website.
Is there a way to keep it running even when you exit the CLI and reboot?

One last thing, I can’t find any documentation on how to configure the Kapacitor to use SSL. Can someone please provide some insight into this?

Once I get these two working, I will have the whole TICK stack using SSL.

I am using Chronograf 1.3.9.0

Thank you for your time and help.

#2

Which machine you’re using to run TICK stack?

If you’re using linux machine, you can modify the chronograf.service which is used by systemctl.

#3

Thank you, Ty and Michael from Influxdb.

Here are the steps to getting this to work:

  1. nano /etc/default/chronograf

  2. Add these to the file and save
    TLS_CERTIFICATE=/etc/ssl/cert.pem
    TLS_PRIVATE_KEY=/etc/ssl/cert.key

  3. Start Chronograf with:
    systemctl start chronograf

  4. Check the log, you should see no errors.
    journalctl -u chronograf --f

They will update the documentation soon.

Hope this helps.

1 Like
#4

One more thing, please make sure all your certs are owned by root and have the right permissions.

You can do it like this.
chown root:root /etc/ssl/cert.pem
chmod 644 /etc/ssl/cert.pem

#5

Last one, here is the configuration for Kapacitor. There’s not a parameter field for Key cert, so make sure you add the key data to the pem file. They will fix this in the next release.

nano /etc/kapacitor/kapacitor.conf

[http]

bind-address = ":9092"
log-enabled = true
write-tracing = true
pprof-enabled = false
https-enabled = true
https-certificate = “cert.pem”

[[influxdb]]

enabled = true
default = true
name = “localhost"
urls = [”:8086"]
username = ""
password = ""
timeout = 0
insecure-skip-verify = false

subscription-protocol = “https”

Run this command "kapacitord -config /etc/kapacitor/kapacitor.conf"
Check the output and make sure you have no errors.