HTTPS/TLS: Connection refused

darkchanter · July 25, 2021, 4:40pm

Hi,

Every time I try to “switch” to HTTPS/TLS clients say they can’t connect to the site (connection refused)

Before I go into details, I’d like to ask if there are logs of the InfluxDB-server somewhere which would tell me more?

All I did so far was:

Installed via sudo localinstall
Created a self-signed Root CA and server keys/pem (they work with other products)
Added the path to the config.toml (they reside in /etc/ssl/certs)
Ensured the port is open (can connect via HTTP)

I am using CentOS 8 Stream in a VM running in Hyper-V/Windows 10 – I can provide more details, such as the exact syntax used for openssl or configs

darkchanter · July 26, 2021, 11:17am

Well, I’m starting to look at this as a bug. No matter what I try, the internal web server is not reachable as soon I config the certs in the toml-file.

/etc/influx/config.toml
http-bind-address = “pc-103.home:8086”
tls-cert = “/etc/ssl/certs/ca.crt”
tls-key = “/etc/ssl/certs/server.pem”

as a test, I even copied the crt/pem to /test and gave a chmod 777 to all - it didn’t work either.

Does influxdb actually work with self-signed CAs/Certs like this?
And why isn’t this thing writing any logs???

openssl:

Generate self signed root CA cert

sudo openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj “/C=CH/ST=ForzaTown/L=ForzaTown/O=ForzaGarage/OU=root/CN=hostname -f/emailAddress=spam@here.com”

Generate server cert to be signed

sudo openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj “/C=CH/ST=ForzaTown/L=ForzaTown/O=ForzaGarage/OU=server/CN=hostname -f/emailAddress=spam@here.com”

Sign the server cert

sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile san.ext

Create server PEM file

sudo cat server.key server.crt | sudo tee server.pem

Generate client cert to be signed

sudo openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj “/C=CH/ST=ForzaTown/L=ForzaTown/O=ForzaGarage/OU=client/CN=hostname -f/emailAddress=spam@here.com”

Sign the client cert

sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt -extfile san.ext

Create client PEM file

sudo cat client.key client.crt | sudo tee client.pem

sudo cp ca.crt /mnt/win
sudo cp client.pem /mnt/win

dan-moran · July 26, 2021, 1:32pm

Hi @darkchanter, do things work as you’d expect if you remove the tls-cert and tls-key settings from your config file?

The log location depends on how you’re running the server. If you’re running via systemd, I’d expect the logs to get written to /var/log/influxdb/influxd.log.

darkchanter · July 26, 2021, 2:49pm

Yeah, everythings works fine, unless I add the tls-options. I’ve also changed the port to make sure the I’ve got a the right config file, and that worked also. I am running it as a service, so I’ll have a look there…

darkchanter · July 26, 2021, 3:25pm

this directory is empty here :-/

sudo find . -name "*influx*.log"

nothing

Topic		Replies	Views
Influxdb: Getting connection refused after installing SSL influxdb	6	7121	June 22, 2020
Enable HTTPS with InfluxDB InfluxDB 2 influxdb	1	724	April 1, 2022
How to get InfluxDB to accept a self-signed certificate	6	1502	August 17, 2022
Setting up password less auth to connect to influxdb	7	2988	May 9, 2018
I can't install my SSL certificate InfluxDB 2 influxdb , influxdata , cli	1	265	April 18, 2024