Configure Chronograf to use SSL

jp_13 · November 10, 2017, 7:30pm

Greetings,

I am a newbie to the TICK stack. I am trying to configure Chronograf to use SSL. I have already configured influxdb to use SSL and I was able to confirm that it’s work by accessing the influx CLI and I configured the Telegraf as well.
I found this link that details how to configure Chronograf to use (Security Best Practices | InfluxData Documentation Archive).
I ran this command “TLS_CERTIFICATE=/etc/ssl/cert.pem TLS_PRIVATE_KEY=/etc/ssl/cert.key Chronograf” and was able to access the chronnograf site using https. but the issue that I am running into is, once I exit the Chronnograf CLI the service stops and I cannot access the website.
Is there a way to keep it running even when you exit the CLI and reboot?

One last thing, I can’t find any documentation on how to configure the Kapacitor to use SSL. Can someone please provide some insight into this?

Once I get these two working, I will have the whole TICK stack using SSL.

I am using Chronograf 1.3.9.0

Thank you for your time and help.

attep · November 16, 2017, 11:33pm

Which machine you’re using to run TICK stack?

If you’re using linux machine, you can modify the chronograf.service which is used by systemctl.

jp_13 · November 23, 2017, 1:07am

Thank you, Ty and Michael from Influxdb.

Here are the steps to getting this to work:

nano /etc/default/chronograf
Add these to the file and save
TLS_CERTIFICATE=/etc/ssl/cert.pem
TLS_PRIVATE_KEY=/etc/ssl/cert.key
Start Chronograf with:
systemctl start chronograf
Check the log, you should see no errors.
journalctl -u chronograf --f

They will update the documentation soon.

Hope this helps.

jp_13 · November 23, 2017, 1:23am

One more thing, please make sure all your certs are owned by root and have the right permissions.

You can do it like this.
chown root:root /etc/ssl/cert.pem
chmod 644 /etc/ssl/cert.pem

jp_13 · November 23, 2017, 2:16am

Last one, here is the configuration for Kapacitor. There’s not a parameter field for Key cert, so make sure you add the key data to the pem file. They will fix this in the next release.

nano /etc/kapacitor/kapacitor.conf

[http]

bind-address = ":9092"
log-enabled = true
write-tracing = true
pprof-enabled = false
https-enabled = true
https-certificate = “cert.pem”

[[influxdb]]

enabled = true
default = true
name = “localhost"
urls = [”:8086"]
username = ""
password = ""
timeout = 0
insecure-skip-verify = false

subscription-protocol = “https”

Run this command "kapacitord -config /etc/kapacitor/kapacitor.conf"
Check the output and make sure you have no errors.

Topic		Replies	Views
Configuring the TICK stack to function with self-signed certs	6	3273	August 7, 2017
Disable connections to Chronograf 1.8.0 over SSLv3 Welcome & Getting Started chronograf	0	557	February 27, 2020
Chronograf security doest not work Dashboards chronograf	1	513	October 30, 2019
Need to configure ssl on Kapacitor	0	448	March 11, 2020
Unable to parse authentication credentials - from Chronograf, but telegraf works fine	0	571	January 22, 2020

Configure Chronograf to use SSL

Related topics