SSL connection fails - unknown certificate authority

Hi all,

we have installed Influxdb and can establish a connection via unsafeSSL. We then followed the instructions in this link to enable https:

Unfortunately, SSL connection fails:

Failed to connect to …domain-name:8086: Get …domain-name:8086/ping: x509: certificate signed by unknown authority
Please check your connection settings and ensure ‘influxd’ is running.

We have a certificate signed by an offical certificate authority. The system is Ubuntu 16.04.6 LTS and we use InfluxDB shell version 1.7.6

Our configuration file looks as follows:

dir = “/var/lib/influxdb/meta”
dir = “/var/lib/influxdb/data”
wal-dir = “/var/lib/influxdb/wal”
series-id-set-cache-size = 100
https-enabled = true
https-certificate = “/etc/ssl/chainedSSLCert.pem”
https-private-key = “/etc/ssl/chainedSSLCert.pem”

In order to create the chainedSSLCert.pem, we combined our three pem-files (private key, host certificate, intermediate + root certificates) into one, so that the final file has the following structure:

HOST Certificate
INTERMEDIATE Certificate 2
INTERMEDIATE Certificate 1
ROOT Certificate

Access from the host to itself works with SSL, but not from any other. We tried a lot, but can’t get it work, because we always get messages like “certificate signed by unknown authority”, “unable to verify the first certificate”, “SSLHandshakeException” (which can mean “The server configuration is missing an intermediate CA”), etc.

Any help would greatly be appreciated.

To clarify: is that the error message you receive when you run influx -ssl -host <domain_name>.com?

Exactely. We get the error message when using influx -ssl -host <domain_name>.com, but can connect when using influx -ssl --unsafeSsl -host <domain_name>.com

One thing I would check is the location of the certificates. I’m looking at the documentation for Ubuntu, and it seems like you might need an additional directory:

Thank you for this hint.
We found now what was missing: we have a proxy on another host and had to add the certificate chain on that proxy. That solved the problem.