How to get InfluxDB to accept a self-signed certificate

I’ve been trying to get InfluxDB to accept a self-signed certificate, but so for, no luck. I’ve been following instructions from here:

I created the cert and key with this command:

openssl req -x509 -nodes -newkey rsa:2048 -keyout influxdb-selfsigned.key -out influxdb-selfsigned.crt -days 9999 -config “C:\OpenSSL\openssl.cnf”

The config.yml file is as follows:

http-bind-address: “:8087”
tls-cert: influxdb-selfsigned.crt
tls-key: influxdb-selfsigned.key

Note, I made the bind port 8087 to ensure it was reading the configuration.

When I start influx from the command line, there are no error messages. Initially there were some TLS handshake errors, but those disappeared, I think when I added the crt and key to the configuration.

However, when I access the URL https://localhost:8087, chrome shows a “not secure” message and I have to click through warnings to get to the site.

To try to get Chrome to trust the certificate, - I followed the instructions from this site:

I exported the cert, then re-imported it as trusted.

However, I still get the “not secure” message in Chrome.

Also, the InfluxDB console shows this message:

info http: TLS handshake error from [::1]:63065: remote error: tls: unknown certificate {“log_id”: “0cKnmWB0000”, “service”: “http”}

Any ideas how to get the cert working?

@mhall119
Do you have any suggestions here? Thank you

It looks like you’re following the instructions on Enable TLS/SSL encryption | InfluxDB OSS 2.3 Documentation did you also change the file permissions like it describes in step #2?

When you get the “not secure” message in Chrome, is the URL using http or https?

Hi, thanks for respoinding.

To answer your second question first, the URL is using https.

As far as file permissions, the instructions appear to be applicable to Linux only. Since I’m running this on Windows 10, I wasn’t sure how/if they applied, so I didn’t change any permissions.

Should I have? If so, how?

Edit:

I used the following commands to grant full access to users and adminstrators, but still no luck.

icacls “C:\InfluxData\influxdb\influxdb-selfsigned.crt” /grant Administrators:F
icacls “C:\InfluxData\influxdb\influxdb-selfsigned.key” /grant Administrators:F
icacls “C:\InfluxData\influxdb\influxdb-selfsigned.crt” /grant Users:F
icacls “C:\InfluxData\influxdb\influxdb-selfsigned.key” /grant Users:F

Here is the error message:

2022-08-15T23:53:55.637572Z info http: TLS handshake error from [::1]:50948: remote error: tls: unknown certificate {“log_id”: “0cKzf_2G000”, “service”: “http”

I don’t know if it’s just a coding thing, but should the service named in the message be https? Just a thought.

Anymore thoughts on this? Is using InfluxDB over https something people normally do on Windows? Could it be the unsigned certificate is the problem? Is there an example somewhere of 2.3 over https/tls working on Windows? It seems it would be a common use case, but I’ve had trouble finding any documentation/examples if it.

Windows is the least-used OS for our users, who typically run it on a Mac for Linux (often in a container), so it might be something windows specific going on.

Is this error message coming from InfluxDB?

Did you use the correct hostname/fqdn in the certificate’s CN and/or SAN fields? If that doesn’t match the one you’re typing in in Chrome, then hostname validation will fail.

My memory might also serve me wrong here, but as far as i remember, Chrome doesn’t support leaf certificates to be stored as accepted into the trust store anymore, only signing certificates (i.e. root or intermediate CAs), though i might be mixing something up here. Try to create your own CA certificate, store that into the Windows trust store, and sign Influx’ certificate with it (i.e. create an influx-csr and sign it with your CA, then configure the signed certificate in InfluxDB).