Setting up password less auth to connect to influxdb

We need a method to allow password less “authorized” connections into influxdb while the rest can use the password method and we need both the default 8086 port to work and may be ssl_port ( if reqd ) to work simultaneously.

Is this possible and any white papers there to help ?

Basically looking a similar set up like this mysql link for the ssl certs part

https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html

As also continue with the default http port 8086 !

Any help is appreciated.

I followed ths steps to create self signed certs and activated ssl

https://docs.influxdata.com/influxdb/v1.5/administration/https_setup/

but this step is not working ( as this influxdb host does not have a default private key although I did create my own rootCA.pem but unable to use it to sign the client cert )

location :
https://docs.influxdata.com/influxdb/v1.5/administration/https_setup/#setup-https-with-client-certificate-authentication
part 2 of step 1

Sign if you manage the CA with openssl

sudo openssl ca -infiles /etc/ssl/.csr -out /etc/ssl/.crt

worklog
sudo openssl ca -in /etc/ssl/dbadmin-influx.csr -out /etc/ssl/dbadmin-influx.crt Using configuration from /etc/pki/tls/openssl.cnf Error opening CA private key /etc/pki/CA/private/cakey.pem 139978423945120:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/private/cakey.pem','r') 139978423945120:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load CA private key

Now I can use the following sample to sign my cert with my own rootCA but I did not sign the influxdb cert with that … so how does this work out!

Felling lost!

Any help appreciated.

We generally recommend using a load balancer such as NGINX for this; it can accept both HTTP and HTTPS connections and forward only HTTP to InfluxDB.

That will work for the traditional logins but https with certs will be failing … thanks but will not work.

My confusion now leads me to the self signed client certs issue.

I signed the client cert with CN as the influxdb username !

for the test I added to influxdb config

  https-enabled = true

  # The SSL certificate to use when HTTPS is enabled.
  https-certificate = "/etc/ssl/influxdb-selfsigned.crt"

  # Use a separate private key location.
  https-private-key = "/etc/ssl/influxdb-selfsigned.key"

  # The SSL certificate used to validate client certificates
  #https-ca-certificate = "/etc/ssl/<ca-certificate-file>.crt"
  https-ca-certificate = "/etc/ssl/rootCA.pem"

this is the same rootCA.pem i used to sign the client crt ( it seems thats needed )

still having issue !

Error :

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Its probably because my rootCA was not make Trusted.

well playing with the keys and and “self generated” rootCAs I progressed a bit! but am stuck again…

issue

curl -v -k --cacert /etc/pki/CA/influx-rootCA.pem --cert /etc/ssl/dbadmin-client-influx.crt --key /etc/ssl/dbadmin-client-private-key-file.key https://cricket:8086/query --data-urlencode "q=SHOW DATABASES"
* About to connect() to cricket port 8086 (#0)
*   Trying 10.100.48.39...
* Connected to cricket (10.100.48.39) port 8086 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: E=influxdba@trdlnk.com,CN=cricket,OU=IT,O=Tradelink,L=Chicago,ST=IL,C=US
*       start date: May 09 20:37:11 2018 GMT
*       expire date: May 08 20:37:11 2021 GMT
*       common name: cricket
*       issuer: E=influxdba,CN=cricket,OU=IT
> POST /query HTTP/1.1
> User-Agent: curl/7.29.0
> Host: cricket:8086
> Accept: */*
> Content-Length: 18
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 18 out of 18 bytes
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json
< Request-Id: 5d0396c4-53cd-11e8-8007-000000000000
< Www-Authenticate: Basic realm="InfluxDB"
< X-Influxdb-Build: OSS
< X-Influxdb-Version: 1.5.2
< X-Request-Id: 5d0396c4-53cd-11e8-8007-000000000000
< Date: Wed, 09 May 2018 21:10:12 GMT
< Content-Length: 55
<
{"error":"unable to parse authentication credentials"}
* Connection #0 to host cricket left intact

Any help appreciated!

I have created a influxdb login “dbadmin” with password…

created the client certs with /CN=dbadmin …

why it fails then whtas not working now ?

Based on:

< Www-Authenticate: Basic realm="InfluxDB"

It looks like you just need to add basic auth credentials to your curl command: --user username:password

1 Like