Configuring the TICK stack to function with self-signed certs

So far I have Telegraf and InfluxDB running on a server with a self-signed cert and I am attempting to bring up Chronograf/Kapacitor on the same machine and I am getting TLS handshake errors from influxd as they attempt to connect.

Both Chronograf and Kapacitor are set up to skip certificate verification so I don’t believe that is the issue.

@bcoleman Can you share your configuration for each product?

http settings for influxd (everything else is left on the default from the rpm install):
enabled = true
auth-enabled = true
log-enabled = true
https-enabled = true
https-certificate = "/etc/ssl/influxdb-selfsigned.crt"
https-private-key = “/etc/ssl/influxdb-selfsigned.key”

[[influxdb]] enabled = true default = true name = "localhost" urls = ["https://localhost:8086"] username = "telegraf" password = timeout = 0 insecure-skip-verify = true startup-timeout = "5m" disable-subscriptions = false subscription-protocol = "https"

(once again mostly on defaults from the rpm)

I was also trying to use chronograph on the default settings, making sure to check the box to skip certificate verification upon connecting

For comparison, this is part of my telegraf.conf file (telegraf is working with zero issues):

[[outputs.influxdb]] urls = ["https://localhost:8086"] database = "test" retention_policy = "" write_consistency = "any" timeout = "5s" username = "telegraf" password = insecure_skip_verify = true

I also didn’t have any issues with using a python script to write data to the InfluxDB instance.

@jackzampolin I should add that testing with https disabled everything works

@jackzampolin I figured out what was wrong with Kapacitor - I changed the subscription type in Kapacitor to https without configuring https in Kapacitor.

I however have still not resolved my issue with Chronograf. When I attempt to connect a source I get the following error in the Chronograf log:

chronograf[5831]: time=“2017-06-02T15:30:50-07:00” level=error msg=“Error message Error contacting source” component=server http_status =400

Corresponding to that error, I see the following in the InfluxDB logs:

influxd[2628]: 2017/06/02 15:41:41 http: TLS handshake error from [::1]:55242: read tcp [::1]:8086->[::1]:55242: read: connection reset by peer

I see this same behavior with the “Unsafe SSL” box left unchecked (which in this case would be expected)

Like I mentioned above, disabling encryption will allow chronograf to connect to influxdb.

@jackzampolin I just did the following on a VM running KDE Neon LTS:

  1. Install all components of the TICK stack following the instructions in the Chronograf Getting Started page
  2. Test InfluxDB connectivity to Chronograph
  3. Enable HTTPS on InfluxDB using a self-signed cert following instructions here
  4. Update Telegraf and Kapacitor accordingly to use https with verification disabled
  5. Delete the http source
  6. Attempt to connect to InfluxDB over HTTPS with the box checked to skip verification

This also resulted in Chronograf being unable to connect. Is there some key step that I missed in that that I would need to do in order to get this working?


I am having a similar problem. The full TICK stack is deployed as kubenetes services (each in a container). Communication between all of them is working fine (http, no security).

I am now trying to enable https + cert in influxDB. The end goal is to have security on all the services (the ones with exposed ports).

This is the relevant part of influxdb.conf :

  # Determines whether HTTP endpoint is enabled.
  enabled = false
  # Determines whether HTTPS is enabled.
  https-enabled = true
  https-certificate = "/etc/ssl/name.crt"
  https-private-key = "/etc/ssl/name.key"

How can I connect to the database on Chronograf ? I have also setup Chronograf to use certification (env variables on kubenetes config file) :

      - name: CERT # new
        value: "/etc/ssl/name.crt"
      - name: KEY # new 
        value: "/etc/ssl/name.key"
      - name: INFLUXDB_URL # same as before except it is now https
        value: "https://<IPAddressOfInfluxDB>:8086" 

I don’t see anything in the logs of influxdb (no TLS handshake, etc…). I would prefer to avoid using a reverse-proxy.

Is there a full tutorial concerning https/ssl between chronograf and influxdb ? Am I missing a step ?
Thanks in advance.