Influxdb is not sending a client certificate during TLS handshake

ComeAll · April 27, 2020, 5:09pm

I want to send InfluxDB data to a subscriber over HTTPS.
Our security team does not want us to just use username and password to authenticate the call.
They want us to use TLS client authentication where the client certificate is sent during TLS handshake.
We turned on HTTPS on influxdb web server but it appears that influxdb is not sending a client certificate during TLS handshake.

We were wondering if this is possible for influxdb to do.
If so, how can it be configured to do so.
Also let us know if this is not possible so we can pursue other choices.

Thanks In Advance
Kamal

Anaisdg · April 30, 2020, 3:05pm

Hello @ComeAll,
Welcome! You can enable TLS.
Let me know if I can help w anything else

Alestrix · May 3, 2020, 2:38pm

The OP’s request is very interesting and I’d use certificate based client authentication if it were available. Unfortunately that link doesn’t even slightly cover the OP’s request.

rawkode · May 4, 2020, 12:44pm

Hi @ComeAll,

Unfortunately InfluxDB does not support mTLS; please feel free to open a feature request.

rawkode · May 4, 2020, 12:46pm

I appreciate that you were unhappy with my colleagues answer, but we’re doing our best to help people here.

Instead of pointing out the flaws, use these sort of opportunities to help the community and expand on the OPs question; we can all learn together.

Alestrix · June 1, 2020, 8:42pm

Hi @rawkode, @Anaisdg,
Sorry that I came across cocky. I thought (and still think) that the OP talking about using TLS client authentication instead of username + password was unambiguous, but my answer was inappropriate and impertinent and I apologize for that.
If you want to read about TLS client authentication, just jump over to Wikipedia to the TLS handshake chapter (Transport Layer Security - Wikipedia) and scroll down to “Client-authenticated TLS handshake”.

Regards
Alex

donnlee · August 11, 2020, 3:08am

I stumbled on this thread because I was trying to get influxdb to send subscription data to kapacitor over TLS/https.

Here shows the influxdb subscriptions configured for https:

> show subscriptions
name: _internal
retention_policy name                                           mode destinations
---------------- ----                                           ---- ------------
monitor          kapacitor-0237911b-8496-432b-8bd3-cc624b5b1ce5 ANY  [https://kapacitor.example.com:9092]

name: telegraf
retention_policy name                                           mode destinations
---------------- ----                                           ---- ------------
autogen          kapacitor-0237911b-8496-432b-8bd3-cc624b5b1ce5 ANY  [https://kapacitor.example.com:9092]

I got this working by setting the following in kapacitor.conf:

"subscription-protocol": "https",

donnlee · August 13, 2020, 5:26am

But unfortunately this config does not mean influxdb, as a TLS client of kapacitor, will present a client certificate to kapacitor for mTLS.
I guess a potential workaround is to create a packet ACL on kapacitor that blocks all traffic except those from influxdb.

Topic		Replies	Views
HTTP response to HTTPS client Welcome & Getting Started	0	1955	June 30, 2020
Telegraf TLS Client Authentication in Influxdb output Telegraf influxdb , telegraf	4	3830	November 7, 2017
Using InfluxDB with TLS encryption InfluxDB 2 installation	2	507	May 22, 2024
Client certificate authentication Telegraf	8	6614	September 24, 2020
Setting up password less auth to connect to influxdb	7	3088	May 9, 2018

Influxdb is not sending a client certificate during TLS handshake

Related topics