HTTPS setup instructions incorrect with CA signed certs


I am trying to run influxdb with HTTPS and having trouble with CA certs. I can’t get influxdb to start; it fails with permissions errors (even, insecurely, making permissions as flexible as possible for go/influxdb users).

We can launch it fine with self-signed certs, but that conflicts with our client side applications (the InfluxDB node client doesn’t seem to behave well with custom options for ignoring cert verification).

Note: works with self-signed certs just fine, but those aren’t working in the client-side requests I have to make.

System info: [Include InfluxDB version, operating system name, and other relevant details]

Ubuntu 16.04 in AWS EC2, r5d.2xlarge instance, InfluxDB 1.6.2

Steps to reproduce:

  1. Create suitable DNS name for instance (We are using AWS Route53)
  2. Create Let’sEncrypt certificates (for Apache on Ubuntu 16.04) using certbot
  3. Edit permissions of certificates basically as described here:
sudo -s
DOMAIN=<your domain name>
chown -R root:root /etc/letsencrypt/archive/${DOMAIN}
chown -R root:root /etc/letsencrypt/live/${DOMAIN}
chmod 644 /etc/letsencrypt/archive/${DOMAIN}/*.pem
chmod 644 /etc/letsencrypt/live/${DOMAIN}/*.pem
chmod 600 /etc/letsencrypt/archive/${DOMAIN}/privkey*.pem
chmod 600 /etc/letsencrypt/live/${DOMAIN}/privkey.pem
chmod go+x /etc/letsencrypt/archive/${DOMAIN}
chmod go+x /etc/letsencrypt/live/${DOMAIN}
  1. Edit /etc/influxdb/influxdb.conf to point to these certs:
https-enabled = true
https-certificate = "/etc/letsencrypt/live/<your domain name>/cert.pem"
https-private-key = "/etc/letsencrypt/live/<your domain name>/privkey.pem"
  1. Restart: sudo systemctl restart influxdb

Expected behavior: [What you expected to happen]

Expect influxdb to start successfully and serve over https

Actual behavior: [What actually happened]

influxdb fails repeatedly with no error information, possibly reporting a permissions error opening the certificate.


I think this isn’t good for you. InfluxDB isn’t run as root user.

That’s why InfluxDB can’t read private key.
Give read permission on privkey to influxdb user.

1 Like