Configure Chronograf to use SSL



I am a newbie to the TICK stack. I am trying to configure Chronograf to use SSL. I have already configured influxdb to use SSL and I was able to confirm that it’s work by accessing the influx CLI and I configured the Telegraf as well.
I found this link that details how to configure Chronograf to use (
I ran this command “TLS_CERTIFICATE=/etc/ssl/cert.pem TLS_PRIVATE_KEY=/etc/ssl/cert.key Chronograf” and was able to access the chronnograf site using https. but the issue that I am running into is, once I exit the Chronnograf CLI the service stops and I cannot access the website.
Is there a way to keep it running even when you exit the CLI and reboot?

One last thing, I can’t find any documentation on how to configure the Kapacitor to use SSL. Can someone please provide some insight into this?

Once I get these two working, I will have the whole TICK stack using SSL.

I am using Chronograf

Thank you for your time and help.


Which machine you’re using to run TICK stack?

If you’re using linux machine, you can modify the chronograf.service which is used by systemctl.


Thank you, Ty and Michael from Influxdb.

Here are the steps to getting this to work:

  1. nano /etc/default/chronograf

  2. Add these to the file and save

  3. Start Chronograf with:
    systemctl start chronograf

  4. Check the log, you should see no errors.
    journalctl -u chronograf --f

They will update the documentation soon.

Hope this helps.

1 Like

One more thing, please make sure all your certs are owned by root and have the right permissions.

You can do it like this.
chown root:root /etc/ssl/cert.pem
chmod 644 /etc/ssl/cert.pem


Last one, here is the configuration for Kapacitor. There’s not a parameter field for Key cert, so make sure you add the key data to the pem file. They will fix this in the next release.

nano /etc/kapacitor/kapacitor.conf


bind-address = ":9092"
log-enabled = true
write-tracing = true
pprof-enabled = false
https-enabled = true
https-certificate = “cert.pem”


enabled = true
default = true
name = “localhost"
urls = [”:8086"]
username = ""
password = ""
timeout = 0
insecure-skip-verify = false

subscription-protocol = “https”

Run this command "kapacitord -config /etc/kapacitor/kapacitor.conf"
Check the output and make sure you have no errors.