Issue when enable https with influxDB

telegraf
influxdb
#1

Hi Team.

Due to security concern for the plain text password in Telegraf configuration file, I am trying to use client certificate authentication follow the document https://docs.influxdata.com/influxdb/v1.5/administration/https_setup/

currently i am using self signed certificate with below steps


Generate a CA

  1. openssl req -out ca.pem -new -x509
    -generates CA file “ca.pem” and CA key “privkey.pem”

Generate server certificate/key pair
- no password.
2) openssl genrsa -out server.key 1024
3) openssl req -key server.key -new -out server.req
4) openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out server.pem
-contents of “file.srl” is a two digit number. eg. “00”

Generate client certificate/key pair

  1. openssl genrsa -out client.key 1024
  2. openssl req -key client.key -new -out client.req
  3. openssl x509 -req -in client.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out client.pem
    -contents of “file.srl” is a two digit number. eg. “00”

I updated the influxDB configuration
[http]
enabled = true
bind-address = “:8086”
auth-enabled = true
log-enabled = true
write-tracing = false
pprof-enabled = false
https-enabled = true
https-certificate = “server.pem”
https-private-key = “server.key”

and i am able to connect through influxd cli command
./influx -ssl -host -unsafeSsl
Connected to https://:8086 version 1.4.2
InfluxDB shell version: 1.4.2

when i try the client certificate with the curl command, it always show error. when generated the client certificate, i already use -subj “/CN=admin” to specify the user in the client cert.
curl --cert client.pem --key client.key https://:8086/query --data-urlencode “q=SHOW DATABASES” -k{“error”:“unable to parse authentication credentials”}

would you please advise if i did anything wrong here?

#2

I would try using the --cacert flag instead of the --cert flag as they have slightly different meanings to curl.

--cacert <CA certificate>
   (SSL)  Tells  curl  to use the specified certificate file to verify the peer. The file may contain
   multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to  use
   a default file for this, so this option is typically used to alter that default file.

   curl  recognizes  the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given
   path as a path to a CA cert bundle. This option overrides that variable.

-E, --cert <certificate[:password]>
   (SSL) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS
   or  another  SSL-based  protocol. The certificate must be in PEM format.  If the optional password
   isn't specified, it will be queried  for  on  the  terminal.  Note  that  this  option  assumes  a
   "certificate"  file  that  is the private key and the private certificate concatenated! See --cert
   and --key to specify them independently.
#3

thanks David for your reply. i also tried with --cacert and it is the same result.
curl --cert client.pem --key client.key https://:8086/query --data-urlencode “q=SHOW DATABASES” --cacert ca.pem
{“error”:“unable to parse authentication credentials”}

do you have any working sample with self-signed cert?

#4

I followed exactly the steps you did to create the certs, and to configure the InfluxDB server on localhost, but the curl command I ran – which succeeded – is:

curl -G https://localhost:8086/query --cert ./client.pem --key ./client.key -k --data-urlencode "q=show databases"

{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["telegraf"],["_internal"],["downsample"],["mydb"],["chronograf"]]}]}]}

It appears that the order of your parameters to curl were incorrect, and what I found was that the ‘q=SHOW DATABASES’ failed but ‘q=show databases’ worked.

I should point out that this will not work if auth_enabled=true as that will still require a username/password combination.

HTH,
dg

#5

Hi,

I am having basically the same problem and I find this answer confusing; the docs say that auth_enabled needs to be true for any authentication or authorization to happen at all, but you’re saying that auth_enabled needs to be false otherwise the server will use basic auth irrespective of whether or not there’s a client certificate being used for the connection? If so, how do I enforce authz when using client certs for authn?