Revoking client certificates in telegraf (influxdb_listener)

andoks · October 21, 2021, 1:18pm

Hi!

I am using telegraf with the influxdb_listener plugin to act as a secure reverse proxy that writes incoming data both to Influxdb (v2) and kapacitor (as per “Stream-style TICKscripts” in InfluxDB OSS 2.0 General Availability Roadmap ) to be able to continue to use streaming tick-scripts after upgrade to influxdbv2.

To improve the security of the solution, I have enabled mutual TLS according to the influxdb_listener documentation, which seems to work fine.

But in the event of an edge device being compromised, I would like the ability to revoke individual client certificates. I could not find out how to do this in the documentation.

Has anyone got this working, or know if this is not a supported feature?

andoks · October 22, 2021, 1:42pm

Sven Rebhan on slack informed me that revoking client certificates is currently not supported in telegraf (Slack), but a PR for such a feature would probably be welcomed.

Implementing this will probably require changing the common tls config. Inspiration of how to do the implementation can be found in cloudflares CRL handling in CFSSL as found by Lorenz L. on stackoverflow: How can I verify client certificates against a CRL in Golang?

Topic		Replies	Views
Telegraf TLS Client Authentication in Influxdb output Telegraf influxdb , telegraf	4	3813	November 7, 2017
Telegraf getting 400 errors Telegraf influxdb , telegraf	1	1671	October 27, 2018
Configuring the TICK stack to function with self-signed certs	6	3262	August 7, 2017
Telegraf Influxdb plugin with HTTPS Telegraf telegraf	3	710	June 7, 2020
Proxies Telegraf via Nginx - certificate signed by unknown authority Telegraf telegraf	4	2703	February 18, 2021

Revoking client certificates in telegraf (influxdb_listener)

Related topics