Influxdb: Getting connection refused after installing SSL

1

Hi all,

I have installed the Influxdb TICK stack on the same server, and all is working well. Now, I would like to add SSL for better security. I have gotten an official CA cert and followed the steps in this link HTTPS Setup | InfluxDB OSS 1.3 Documentation

Unfortunately, after a restart I get this error when I try to access the Influxdb CLI:

[user@nfluxdb ssl]$ influx -ssl -host domain-name
Failed to connect to https://domain-name:8086: Get https://domain-name:8086/ping: dial tcp IP:8086: getsockopt: connection refused
Please check your connection settings and ensure ‘influxd’ is running.

Here are my config settings:
[http]
–Determines whether HTTP endpoint is enabled.
enabled = false

–Determines whether user authentication is enabled over HTTP/HTTPS.
auth-enabled = true

– Determines whether HTTPS is enabled.
https-enabled = true

– The SSL certificate to use when HTTPS is enabled.
https-certificate = “/etc/ssl/name-of-cert.crt”

– Use a separate private key location.
https-private-key = “/etc/ssl/name-of-cert.key”

Here is the output of my netstat:

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8088 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::8888 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 :::9092 :::* LISTEN -
unix 2 [ ACC ] STREAM LISTENING 13327 - /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 16812 - private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 16815 - private/rewrite
unix 2 [ ACC ] STREAM LISTENING 16818 - private/bounce
unix 2 [ ACC ] STREAM LISTENING 16821 - private/defer
unix 2 [ ACC ] STREAM LISTENING 16824 - private/trace
unix 2 [ ACC ] STREAM LISTENING 16827 - private/verify
unix 2 [ ACC ] STREAM LISTENING 16833 - private/proxymap
unix 2 [ ACC ] STREAM LISTENING 16836 - private/proxywrite
unix 2 [ ACC ] STREAM LISTENING 16839 - private/smtp
unix 2 [ ACC ] STREAM LISTENING 16842 - private/relay
unix 2 [ ACC ] STREAM LISTENING 16848 - private/error
unix 2 [ ACC ] STREAM LISTENING 16851 - private/retry
unix 2 [ ACC ] STREAM LISTENING 16854 - private/discard
unix 2 [ ACC ] STREAM LISTENING 16857 - private/local
unix 2 [ ACC ] STREAM LISTENING 16860 - private/virtual
unix 2 [ ACC ] STREAM LISTENING 16863 - private/lmtp
unix 2 [ ACC ] STREAM LISTENING 16866 - private/anvil
unix 2 [ ACC ] STREAM LISTENING 16869 - private/scache
unix 2 [ ACC ] SEQPACKET LISTENING 13383 - /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 16801 - public/pickup
unix 2 [ ACC ] STREAM LISTENING 16805 - public/cleanup
unix 2 [ ACC ] STREAM LISTENING 16808 - public/qmgr
unix 2 [ ACC ] STREAM LISTENING 16830 - public/flush
unix 2 [ ACC ] STREAM LISTENING 16845 - public/showq
unix 2 [ ACC ] STREAM LISTENING 15473 - /run/gssproxy.sock
unix 2 [ ACC ] STREAM LISTENING 13954 - /var/run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 15472 - /var/lib/gssproxy/default.sock
unix 2 [ ACC ] STREAM LISTENING 10136 - /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 8349 - /run/systemd/journal/stdout

I have also tried using a self-signed cert and that failed as well.

I am using the Centos 7 with latest updates and the latest version of the Influxdb (v1.3) TICK stack. Any help would greatly be appreciated.

2

I was able to get a little more info from the influxdb logs but still not much for me to go on.

Error Log:
http://localhost:9092/write?consistency=&db=_internal&precision=ns&rp=monitor: dial tcp [::1]:9092: getsockopt: connection refused service=subscriber

Is there something I can do to get more details?

Thank you.

3

I tried again using a pem cert file and same error. Does anyone know how to trouble shoot this?

influx -ssl -host domain-name
Failed to connect to https://domain-name:8086: Get https://domain-name:8086/ping: http: server gave HTTP response to HTTPS client
Please check your connection settings and ensure ‘influxd’ is running.

My settings:

[http]
enabled = false
bind-address = “:8086”
auth-enabled = true
log-enabled = true
write-tracing = true
pprof-enabled = true
https-enabled = true
https-certificate = “/etc/ssl/cert.pem”
https-private-key = “”

Thanks.

4

I think you will need enabled = true and a valid https-private-key file.

5

That worked. I was under the impression that if you have a .pem cert you don’t need the key cert. I guess I was wrong. Thank you for taking the time to help a newbie like me :wink:

New settings:

[http]
enabled = true
bind-address = ":8086"
auth-enabled = true
log-enabled = true
write-tracing = true
pprof-enabled = true
https-enabled = true
https-certificate = "/etc/ssl/cert.pem"
https-private-key = “/etc/ssl/cert.key”

Cheers.

1 Like
6

Following the same options in config file. But still error is connection refused. Can you pls help ?

7

Not sure if you are still having issues, but have you tried this:

insecure_skip_verify = true

This will skip “strict” ssl/tls tests like host name verification, but will still encrypt your telegraf traffic.