InfluxDB 2 Config file + SSL

InfluxDB 2
1

Hi,
I’m new to both InfluxDB and newish to Linux.

I’m trying to setup influxdb + telegraf (then Grafana). Now i’ve got the basics install, influxdb and telegraf and all is running and telegraf is sending data on the local machine.

Now i want to get influx+telegraf into SSL HTTPS. but having issues getting a config file setup and running.

If i manually run

influxd --tls-cert=“/etc/letsencrypt/live//fullchain.pem” --tls-key=“/etc/letsencrypt/live//privkey.pem”

that runs and i can get onto the web ui via https://:8086

I installed on CentOS8 via the RPM package so run via systemctl. How do i create a config file and add the SSL certificates to get it running under https?
I’ve tried creating a .yml file and setting the config file path

export INFLUXD_CONFIG_PATH=/etc/influxdb/influxdb.yml

But that doesn’t seem to do anything.
Also tried

influx config create --active -n config-name -u http://localhost:8086 -t mySuP3rS3cr3tT0keN -o example-org

but not sure where to edit and add the SSL stuff.

2

Hello @hobbit666,
Have you taken a look at:
Enable TLS/SSL encryption | InfluxDB OSS 2.0 Documentation?

3

Yeah I have and it works when I run that command.

But I’ve installed via RPM so it’s running as a service. So how do I get the SSL running with the service?

I’m think from the docs I need a configuration file but can’t seem to work out how.

4

You should already have a configuration file. But which config file are you referring to? What step are you stuck on?

5

Hi, @hobbit666 same problem here…
did you found a solution for your problem.

6

No kind of gave up for now and stuck to v1.
Might try it again soon

1 Like
7

Same issue here. I can manually start influxd with the SSL parameters as mentioned in the docs, and it works. Influx also starts on reboot as I enabled it in systemctl but it does not start with SSL enabled. Not sure where to define that specifically.

8

you will find this article useful if you haven’t already fixed this:

basically you have the option to add lines to the config file ( /etc/influxdb/config.toml )
e.g - add this for the toml file:

tls-cert = "/path/to/influxdb.crt"
tls-key = "/path/to/influxdb.key"

or this for yaml:

tls-cert: /path/to/influxdb.crt
tls-key: /path/to/influxdb.key

or you can choose to add arguments to your service configuration file at:
/lib/systemd/system/influxdb.service (for centos)
you will find more info here:

9

Hello,
Working with docker-compose, config.toml seems to have no effect on TLS.
Also, I can’t find any details about using docker environment variables for V2. INFLUXDB_HTTP_HTTPS_CERTIFICATE and INFLUXDB_HTTP_HTTPS_PRIVATE_KEY are working fine with influxdb 1.8.3 but not with 2.0.6…
Thx !

10

Some update about ssl in influx 2.0.6???
FROM influxdb:latest

LABEL description=“InfluxDB image” version=“1.0.0”

ENV DOCKER_INFLUXDB_INIT_MODE=setup

ENV DOCKER_INFLUXDB_INIT_USERNAME=user

ENV DOCKER_INFLUXDB_INIT_PASSWORD=pass

ENV DOCKER_INFLUXDB_INIT_ORG=org

ENV DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=tokn

ENV DOCKER_INFLUXDB_INIT_BUCKET=bucket

ENV DOCKER_INFLUXDB_INIT_RETENTION=365d

ENV INFLUXD_HTTP_BIND_ADDRESS=:8086

ENV INFLUXD_HTTP_IDLE_TIMEOUT=3m0s

ENV INFLUXD_HTTP_READ_HEADER_TIMEOUT=10s

ENV INFLUXD_HTTP_READ_TIMEOUT=15s

ENV INFLUXD_HTTP_WRITE_TIMEOUT=15s

ENV INFLUXD_LOG_LEVEL=info

ENV INFLUXD_QUERY_CONCURRENCY=20

ENV INFLUXD_SECRET_STORE=bolt

ENV INFLUXD_SESSION_LENGTH=60

ENV INFLUXD_BOLT_PATH=/var/lib/influxdb2/influxd.bolt

ENV INFLUXD_ENGINE_PATH=/var/lib/influxdb2/engine

ENV INFLUXD_TLS_CERT=…/cert.pem

ENV INFLUXD_TLS_KEY=…/key.pem

ENV INFLUXD_TLS_MIN_VERSION=1.2

ENV INFLUXD_TLS_STRICT_CIPHERS=true

ENV INFLUXD_TRACING_TYPE=log

EXPOSE 8086 8083 443

This is my dockerfile, SSL dont work, it execute this “lvl=info msg=Listening log_id=0U6evMlW000 service=tcp-listener transport=http addr=:9999 port=9999” and then go down

11

verify your config settings:

#influx config ls
Active Name URL Org
jozefina http://192.168.0.105:8086 influxdata
default https://ruth:8086 ooo

if not HTTPS in your URL you have to update that config record

12

i forgot to mention one more note: if you run once influx as root with influxd and then later set it as service with systemctl it is running under influxd user.

i cannot find the link now, but it was mention somewhere and i know i caused me problems

13

Check out the replies on this thread:

Good luck

14

I had the same problem.

If you run influxdb as a service (systemctl start influxdb) then it is started with “influxdb” user.
Solution was to change tls-cert and tls-key files ownership to influxdb user:

chown influxdb.influxdb <path-to-file.crt>
chown influxdb.influxdb <path-to-file.key>

In documentation (https://docs.influxdata.com/influxdb/v2/admin/security/enable-tls/) it’s not explicitly written, that you should also check for ownership of files.

15

I too had the same issue on a raspberry pi 4b with debian bookworm until I finally found the solution! As there were no automatic install options for this setup (arm64 .deb) I followed the official guidance for manual installation:

https://docs.influxdata.com/influxdb/v2/install/?t=Linux#manually-download-and-install-the-influxd-binary

I then created a “config.toml” file and added the TLS-paths as suggested by the official documentation. I also ensured the permissions were correct for the certificates (at least read rights for user influxdb). This still didn’t work so I tried all kinds of various suggestions available on the internet, still without luck.

In the end what worked for me was to first stop the influxdb.service via command:

sudo systemctl stop influxdb.service

and then add the TLS-commands (–tls-key --tls-cert) in the file influxd-systemd-start.sh
in my case it was located here: /usr/lib/influxdb/scripts/

I did this via command:

sudo nano /usr/lib/influxdb/scripts/influxd-systemd-start.sh

The resulting file looks like this (remember to change path to your cert/key files and ensure you have set the correct permissions)

#!/bin/bash -e

/usr/bin/influxd --reporting-disabled --tls-cert="/path/to/crtfile --tls-key="/path/to/keyfile" &
PID=$!
echo $PID > /var/lib/influxdb/influxd.pid

PROTOCOL="http"
BIND_ADDRESS=$(influxd print-config --key-name http-bind-address)
TLS_CERT=$(influxd print-config --key-name tls-cert | tr -d '"')
TLS_KEY=$(influxd print-config --key-name tls-key | tr -d '"')
if [ -n "${TLS_CERT}" ] && [ -n "${TLS_KEY}" ]; then
  echo "TLS cert and key found -- using https"
  PROTOCOL="https"
fi
HOST=${BIND_ADDRESS%:*}
HOST=${HOST:-"localhost"}
PORT=${BIND_ADDRESS##*:}


set +e
attempts=0
url="$PROTOCOL://$HOST:$PORT/ready"
result=$(curl -k -s -o /dev/null $url -w %{http_code})
while [ "${result:0:2}" != "20" ] && [ "${result:0:2}" != "40" ]; do
  attempts=$(($attempts+1))
  echo "InfluxDB API at $url unavailable after $attempts attempts..."
  sleep 1
  result=$(curl -k -s -o /dev/null $url -w %{http_code})
done
echo "InfluxDB started"
set -e

After I had done that I was able to start the service again

sudo systemctl start influxdb.service

It does survive reboots (not sure about future updates though?). Hope that will help anyone out there :slight_smile: