I’m having issues with the CA Certificates that are configured in both Ubuntu/Debian and Alpine based Telegraf Docker containers, as they, for some reason, cannot trust the speedtest.net website. It’s strange, as doing a “wget” to any other website works without a problem. I need access to speedtest.net, as I want to work with the Internet Speed input plugin, that connects to Speedtest’s API to retrieve data.
Any help is more than welcome, as I’m blocked at the moment and wouldn’t really like to have Telegraf and InfluxDB OSS installed locally in my Windows computer. If you need any other kind of information, please let me know.
Can you share your config and logs please?
Are you building a custom container or using the official telegraf container?
What is the actual error message you see?
Thanks for the fast reply.
My Telegraf Dockerfile is very simple, doesn’t modify almost anything:
COPY telegraf.conf /etc/telegraf/telegraf.conf
RUN apt-get update && apt-get install -y ca-certificates
As you can see, I already tried with apt-get update and apt-get install ca-certificates, and didn’t work. Same with Alpine and apk get, no results.
The telegraf.conf file is almost exactly the same as the one that InfluxDB automatically creates when setting up the Internet Speed plugin, with the exception that I skipped TLS for the output (InfluxDB), although I couldn’t do the same with Internet Speed, as there is no such option, at least from what I’ve read. This is the content of telegraf.conf:
interval = "20s"
round_interval = true
metric_batch_size = 1000
metric_buffer_limit = 10000
collection_jitter = "0s"
flush_interval = "10s"
flush_jitter = "0s"
precision = ""
hostname = ""
omit_hostname = false
urls = ["https://eu-central-1-1.aws.cloud2.influxdata.com"]
token = "$INFLUX_TOKEN"
organization = "Next Gen Projects"
bucket = "Local Computer"
insecure_skip_verify = true
enable_file_download = true
With this configuration I managed to skip the TLS errors from trying to connect to InfluxDB Cloud, but as you can see I couldn’t skip TLS for Internet Speed.
The error message I get from Telegraf is the following:
E! [inputs.internet_speed] Error in plugin: unable to find closest server: fetching server list failed: Get "https://www.speedtest.net/api/js/servers": tls: failed to verify certificate: x509: certificate signed by unknown authority
I also tried executing wget speedtest.net from Telegraf’s terminal, and got a similar error. Doing wget google.com for example doesn’t give me this error.
If I forgot something or you need anything else please let me know.
Two initial comments:
- You should be getting a deprecation warning about
enable_file_download as the new config option is
- If you do run apt update and install something, if you want to keep the size of the container down, you will want to remove those files post-install as well.
Here is my attempt using your examples:
$ cat telegraf.conf
debug = true
interval = "30s"
memory_saving_mode = true
$ cat Dockerfile
COPY telegraf.conf /etc/telegraf/telegraf.conf
$ docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
Sending build context to Docker daemon 3.072kB
Step 1/2 : FROM telegraf
latest: Pulling from library/telegraf
93c2d578e421: Already exists
c87e6f3487e1: Already exists
21a1bd817f4c: Pull complete
f6e8cc37fc85: Pull complete
7eb3ce3f8dc5: Pull complete
88115ed6a729: Pull complete
Status: Downloaded newer image for telegraf:latest
Step 2/2 : COPY telegraf.conf /etc/telegraf/telegraf.conf
Successfully built 896de9cd4e99
/tmp/test took 7s
$ docker run --rm -it 896de9cd4e99
2023-06-28T14:44:46Z I! Loading config: /etc/telegraf/telegraf.conf
2023-06-28T14:44:46Z I! Starting Telegraf 1.27.1
2023-06-28T14:44:46Z I! Available plugins: 237 inputs, 9 aggregators, 28 processors, 23 parsers, 59 outputs, 4 secret-stores
2023-06-28T14:44:46Z I! Loaded inputs: internet_speed
2023-06-28T14:44:46Z I! Loaded aggregators:
2023-06-28T14:44:46Z I! Loaded processors:
2023-06-28T14:44:46Z I! Loaded secretstores:
2023-06-28T14:44:46Z I! Loaded outputs: file
2023-06-28T14:44:46Z I! Tags enabled: host=26f9b9292e62
2023-06-28T14:44:46Z I! [agent] Config: Interval:10s, Quiet:false, Hostname:"26f9b9292e62", Flush Interval:10s
2023-06-28T14:44:46Z D! [agent] Initializing plugins
2023-06-28T14:44:46Z D! [agent] Connecting outputs
2023-06-28T14:44:46Z D! [agent] Attempting connection to [outputs.file]
2023-06-28T14:44:46Z D! [agent] Successfully connected to outputs.file
2023-06-28T14:44:46Z D! [agent] Starting service inputs
2023-06-28T14:44:56Z D! [outputs.file] Buffer fullness: 0 / 10000 metrics
2023-06-28T14:45:00Z D! [inputs.internet_speed] using server 58015 in Hamilton, MT (speedtest3.grizzlybb.net.prod.hosts.ooklaserver.net:8080)
2023-06-28T14:45:06Z D! [outputs.file] Buffer fullness: 0 / 10000 metrics
When I added the line to install
ca-certificates I get:
ca-certificates is already the newest version (20210119).
Do you have a locally tagged docker image called “telegraf” that is getting used, instead of the upstream image?
No, I don’t have a locally tagged image named telegraf. I use local-telegraf as an image tag, it’s the one I build with Dockerfile, so I don’t have issues with the upstream image.
I also tried your telegraf.conf and Dockerfile with the same issue. I guess this is something out of Telegraf or its container. This is out of context, but could it be something related to Docker CE or Windows?
If the same behavior exists using
wget while inside the container, then this is not-telegraf specific, but points to the way the container is set up.
- When you install
ca-certificates does it actually update to a newer version?
- Can you run
apt-cache policy ca-certificates in the container and share the output?
but could it be something related to Docker CE or Windows?
If the above looks good, then the thing that could be happening is if your have a strange networking configuration that is routing the network traffic or using a corp. network that is replacing the cert possibly.
edit: expanded paragraph above
Sorry about the late response. I’ve finally figured that my work laptop is at fault, as it has its own certificates and such. Thank you so much for the help anyways.