Telegraf TLS Client Authentication in Influxdb output

influxdb
telegraf
#1

What are the ssl_cert and ssl_key used for in Telegraf’s InfluxDB Output Plugin? Is this for Client TLS Authentication by InfluxDB? (similar to Kafka: https://github.com/influxdata/telegraf/pull/541 )

https://github.com/influxdata/telegraf/tree/master/plugins/outputs/influxdb :`

## Optional SSL Config
# ssl_ca = "/etc/telegraf/ca.pem"
# ssl_cert = "/etc/telegraf/cert.pem"
# ssl_key = "/etc/telegraf/key.pem"
## Use SSL but skip chain & host verification
# insecure_skip_verify = false

There isn’t any reference to Client TLS Authentication in the influx documentation (https://docs.influxdata.com/influxdb/v1.3/administration/https_setup/ ) - but I can’t think of any reason, besides Client auth, to have a key on the client (telegraf) side of the communication.

#2

Most of these options are useful only when you are using nginx or another reverse proxy between Telegraf and InfluxDB, in which case you can client certificate authentication.

1 Like
#3

Already using nginx, and my security team wants something more than plain text passwords (I know; please don’t ask) - this may fit their requirements. Thanks for the clarification!

Telegraf getting 400 errors
#4

Hey @daniel, is there a way to use a certificate with a passphrase or does the agent only support a blank passphrase?

#5

We only have support for unencrypted keyfiles.

1 Like