TLS client authentication

I am using telegraf for telemetry collection from devices over a network.

I want to configure it for TLS client device authentication/authorization.
Is there any documentation available for same?

Depends on what plugins you are using. Please check out the readmes for each plugin or the sample config to see what options are available.

I have a similar question,
I use the http plugin (output_http) to send my data from a telegraf agent to another telegraf agent (network problems force me to do this) which I call a proxy. This agent then listens with http_listenner and exposes the metrics it has collected in prometheus format, so that prometheus can retrieve the information.
However, my security department requires TLS to be configured between these different exchanges, even though the proxy and the prometheus server are installed on the same machine.
1 telegraf to telegraf proxy
2 telegraf proxy to prometheus

In the doc there is a TLS config part in output_http

Optional TLS Config

tls_ca = "/etc/telegraf/ca.pem

tls_cert = “/etc/telegraf/cert.pem”

tls_key = “/etc/telegraf/key.pem”

Use TLS but skip chain & host verification

insecure_skip_verify = false

and this section in outputs.prometheus_client

If set, enable TLS with the given certificate.

tls_cert = “/etc/ssl/telegraf.crt”

tls_key = “/etc/ssl/telegraf.key”

Set one or more allowed client CA certificate file names to

enable mutually authenticated TLS connections

tls_allowed_cacerts = [“/etc/telegraf/clientca.pem”]

except that I don’t know if tls_ca and tls_cert is the machine certificate that I should use or that of the telegraf proxy vis versa I can’t get a clear explanation.

On my two telegraf agents I just want mutual authentication.

You have the following flow:

telegraf <--> telegraf "proxy" <---> prometheus

What outputs and inputs are you using on each?

edit: I’ve removed my answer as I do need more clarification first.

on telegraf i only use output http and others input to collect data

on telegraf proxy i have input_http_listenner and output_prometheus_client plugins

on telegraf i only use output http and others input to collect data

Telegraf needs the certificates of the telegraf “proxy” since it is reaching out to it to connect and send data.

on telegraf proxy i have input_http_listenner and output_prometheus_client plugins

The telegraf “proxy” needs to 1) host certificates in the http_listener plugin that the first telegraf will also validate and 2) needs the TLS certs of the prometheus server.

Thank you very much for your responsiveness.
If I understand correctly, in the telegraf TLS options configuration, I specify the telegraf proxy key and certificate.

In the case of the telegraf proxy, it will be installed on the same virtual machine as the prometheus server with the same IP address, just with a difference in the ports used. So I need to configure both the server certificate for the input_http_listenner and also specify the certificate for the client output_prometheus.

Thanks in advance

That sounds right :slight_smile: Obviously your situation may require some additional settings or changes, but it I think that is the gist of it.

1 Like