Every time I try to “switch” to HTTPS/TLS clients say they can’t connect to the site (connection refused)
Before I go into details, I’d like to ask if there are logs of the InfluxDB-server somewhere which would tell me more?
All I did so far was:
- Installed via sudo localinstall
- Created a self-signed Root CA and server keys/pem (they work with other products)
- Added the path to the config.toml (they reside in /etc/ssl/certs)
- Ensured the port is open (can connect via HTTP)
I am using CentOS 8 Stream in a VM running in Hyper-V/Windows 10 – I can provide more details, such as the exact syntax used for openssl or configs
Well, I’m starting to look at this as a bug. No matter what I try, the internal web server is not reachable as soon I config the certs in the toml-file.
http-bind-address = “pc-103.home:8086”
tls-cert = “/etc/ssl/certs/ca.crt”
tls-key = “/etc/ssl/certs/server.pem”
as a test, I even copied the crt/pem to /test and gave a chmod 777 to all - it didn’t work either.
Does influxdb actually work with self-signed CAs/Certs like this?
And why isn’t this thing writing any logs???
Generate self signed root CA cert
sudo openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj “/C=CH/ST=ForzaTown/L=ForzaTown/O=ForzaGarage/OU=root/CN=
Generate server cert to be signed
sudo openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj “/C=CH/ST=ForzaTown/L=ForzaTown/O=ForzaGarage/OU=server/CN=
Sign the server cert
sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile san.ext
Create server PEM file
sudo cat server.key server.crt | sudo tee server.pem
Generate client cert to be signed
sudo openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj “/C=CH/ST=ForzaTown/L=ForzaTown/O=ForzaGarage/OU=client/CN=
Sign the client cert
sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt -extfile san.ext
Create client PEM file
sudo cat client.key client.crt | sudo tee client.pem
sudo cp ca.crt /mnt/win
sudo cp client.pem /mnt/win
Hi @darkchanter, do things work as you’d expect if you remove the
tls-key settings from your config file?
The log location depends on how you’re running the server. If you’re running via systemd, I’d expect the logs to get written to
Yeah, everythings works fine, unless I add the tls-options. I’ve also changed the port to make sure the I’ve got a the right config file, and that worked also. I am running it as a service, so I’ll have a look there…
this directory is empty here :-/
sudo find . -name "*influx*.log"