Speedtest.net not trusted in Telegraf Docker container

calin112 · June 28, 2023, 9:43am

Hi,

I’m having issues with the CA Certificates that are configured in both Ubuntu/Debian and Alpine based Telegraf Docker containers, as they, for some reason, cannot trust the speedtest.net website. It’s strange, as doing a “wget” to any other website works without a problem. I need access to speedtest.net, as I want to work with the Internet Speed input plugin, that connects to Speedtest’s API to retrieve data.

Any help is more than welcome, as I’m blocked at the moment and wouldn’t really like to have Telegraf and InfluxDB OSS installed locally in my Windows computer. If you need any other kind of information, please let me know.

Best regards,
Calin

jpowers · June 28, 2023, 1:09pm

Can you share your config and logs please?

Are you building a custom container or using the official telegraf container?

What is the actual error message you see?

calin112 · June 28, 2023, 2:14pm

Hi,

Thanks for the fast reply.

My Telegraf Dockerfile is very simple, doesn’t modify almost anything:

FROM telegraf
COPY telegraf.conf /etc/telegraf/telegraf.conf
RUN apt-get update && apt-get install -y ca-certificates
ENV INFLUX_TOKEN=<token_value>

As you can see, I already tried with apt-get update and apt-get install ca-certificates, and didn’t work. Same with Alpine and apk get, no results.

The telegraf.conf file is almost exactly the same as the one that InfluxDB automatically creates when setting up the Internet Speed plugin, with the exception that I skipped TLS for the output (InfluxDB), although I couldn’t do the same with Internet Speed, as there is no such option, at least from what I’ve read. This is the content of telegraf.conf:

[agent]
  interval = "20s"
  round_interval = true
  metric_batch_size = 1000
  metric_buffer_limit = 10000
  collection_jitter = "0s"
  flush_interval = "10s"
  flush_jitter = "0s"
  precision = ""
  hostname = ""
  omit_hostname = false
[[outputs.influxdb_v2]]
  urls = ["https://eu-central-1-1.aws.cloud2.influxdata.com"]
  token = "$INFLUX_TOKEN"
  organization = "Next Gen Projects"
  bucket = "Local Computer"
  insecure_skip_verify = true
[[inputs.internet_speed]]
  enable_file_download = true

With this configuration I managed to skip the TLS errors from trying to connect to InfluxDB Cloud, but as you can see I couldn’t skip TLS for Internet Speed.

The error message I get from Telegraf is the following:

E! [inputs.internet_speed] Error in plugin: unable to find closest server: fetching server list failed: Get "https://www.speedtest.net/api/js/servers": tls: failed to verify certificate: x509: certificate signed by unknown authority

I also tried executing wget speedtest.net from Telegraf’s terminal, and got a similar error. Doing wget google.com for example doesn’t give me this error.

If I forgot something or you need anything else please let me know.

Best regards,
Calin

jpowers · June 28, 2023, 2:49pm

Two initial comments:

You should be getting a deprecation warning about enable_file_download as the new config option is memory_saving_mode
If you do run apt update and install something, if you want to keep the size of the container down, you will want to remove those files post-install as well.

Here is my attempt using your examples:

$ cat telegraf.conf 
[agent]
    debug = true

[[inputs.internet_speed]]
  interval = "30s"
  memory_saving_mode = true

[[outputs.file]]
$ cat Dockerfile 
FROM telegraf
COPY telegraf.conf /etc/telegraf/telegraf.conf
$ docker build .
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            Install the buildx component to build images with BuildKit:
            https://docs.docker.com/go/buildx/

Sending build context to Docker daemon  3.072kB
Step 1/2 : FROM telegraf
latest: Pulling from library/telegraf
93c2d578e421: Already exists 
c87e6f3487e1: Already exists 
21a1bd817f4c: Pull complete 
f6e8cc37fc85: Pull complete 
7eb3ce3f8dc5: Pull complete 
88115ed6a729: Pull complete 
Digest: sha256:0b283711b57bfe50f139a82ac1727c2e0896b02a389498b8eb14037631ff487c
Status: Downloaded newer image for telegraf:latest
 ---> 4ac698871350
Step 2/2 : COPY telegraf.conf /etc/telegraf/telegraf.conf
 ---> 896de9cd4e99
Successfully built 896de9cd4e99
/tmp/test took 7s 
$ docker run --rm -it 896de9cd4e99
2023-06-28T14:44:46Z I! Loading config: /etc/telegraf/telegraf.conf
2023-06-28T14:44:46Z I! Starting Telegraf 1.27.1
2023-06-28T14:44:46Z I! Available plugins: 237 inputs, 9 aggregators, 28 processors, 23 parsers, 59 outputs, 4 secret-stores
2023-06-28T14:44:46Z I! Loaded inputs: internet_speed
2023-06-28T14:44:46Z I! Loaded aggregators: 
2023-06-28T14:44:46Z I! Loaded processors: 
2023-06-28T14:44:46Z I! Loaded secretstores: 
2023-06-28T14:44:46Z I! Loaded outputs: file
2023-06-28T14:44:46Z I! Tags enabled: host=26f9b9292e62
2023-06-28T14:44:46Z I! [agent] Config: Interval:10s, Quiet:false, Hostname:"26f9b9292e62", Flush Interval:10s
2023-06-28T14:44:46Z D! [agent] Initializing plugins
2023-06-28T14:44:46Z D! [agent] Connecting outputs
2023-06-28T14:44:46Z D! [agent] Attempting connection to [outputs.file]
2023-06-28T14:44:46Z D! [agent] Successfully connected to outputs.file
2023-06-28T14:44:46Z D! [agent] Starting service inputs
2023-06-28T14:44:56Z D! [outputs.file] Buffer fullness: 0 / 10000 metrics
2023-06-28T14:45:00Z D! [inputs.internet_speed] using server 58015 in Hamilton, MT (speedtest3.grizzlybb.net.prod.hosts.ooklaserver.net:8080)
2023-06-28T14:45:06Z D! [outputs.file] Buffer fullness: 0 / 10000 metrics

When I added the line to install ca-certificates I get:

ca-certificates is already the newest version (20210119).

Do you have a locally tagged docker image called “telegraf” that is getting used, instead of the upstream image?

calin112 · June 28, 2023, 3:10pm

Hi,

No, I don’t have a locally tagged image named telegraf. I use local-telegraf as an image tag, it’s the one I build with Dockerfile, so I don’t have issues with the upstream image.

I also tried your telegraf.conf and Dockerfile with the same issue. I guess this is something out of Telegraf or its container. This is out of context, but could it be something related to Docker CE or Windows?

Thanks,
Calin

jpowers · June 28, 2023, 5:53pm

If the same behavior exists using wget while inside the container, then this is not-telegraf specific, but points to the way the container is set up.

When you install ca-certificates does it actually update to a newer version?
Can you run apt-cache policy ca-certificates in the container and share the output?

but could it be something related to Docker CE or Windows?

If the above looks good, then the thing that could be happening is if your have a strange networking configuration that is routing the network traffic or using a corp. network that is replacing the cert possibly.

edit: expanded paragraph above

calin112 · July 6, 2023, 8:19am

Sorry about the late response. I’ve finally figured that my work laptop is at fault, as it has its own certificates and such. Thank you so much for the help anyways.

Kind Regards,
Calin

jpowers · July 6, 2023, 12:54pm

Thanks for following up!

Topic		Replies	Views
Telegraf Fails to send Data to Influxdb Telegraf	11	1496	December 19, 2021
InfluxDB 2 / Telegraf "authorization not found" [Docker/Windows] InfluxDB 2 telegraf , windows , docker	1	4016	April 20, 2021
Issue monitoring host procstat from a docker instance Telegraf influxdb , telegraf , docker	6	1935	July 12, 2023
Container metrics collection -- Telegraf (on windows) throws error, when configured for docker Telegraf influxdb , telegraf , windows	1	1488	October 2, 2017
Telegraft unauthorized to connect - even with a token Telegraf influxdb , telegraf	3	956	October 7, 2021

Speedtest.net not trusted in Telegraf Docker container

Related topics