Hi, I have an influxdb instance and a let’sencrypt certificate.
I am able to make influxdb work with TLS encryption only if I put a copy of the certificates inside the directory /etc/ssl and set the permissions 644 for both the files fullchain.pem and privkey.pem. If I set chmod 600 for privkey as the documentation says, influxdb does not work. Moreover, since letsencrypt renew automatically the certs, it would be a good idea to put a link to the letsencrypt “live” directory, which is always kept updated. But, as just said, it does not work with links, even though I set the permission 644 for both files.
Sounds very odd. Is the owner of the certificate files the same user as the user running the influxd process?
Hi FixTestRepeat,
the database works fine if I put the cert files (not links) inside /etc/ssl with these permissions:
-rw-r–r-- 1 influxdb influxdb 3562 Aug 4 14:13 fullchain1.pem
-rw-r–r-- 1 root root 1704 Aug 4 14:13 privkey1.pem
On the contrary, if I put inside /etc/ssl the soft or hard links to /etc/letsencrypt/live/domain-name/certs.pem, it does not connect. Inside this folder there are links to the /etc/letsencrypt/archive/domain-name/certs.pem, and the permissions for the files inside this folder are:
-rw-r–r-- 1 influxdb influxdb 3562 Jun 29 09:28 fullchain1.pem
-rw-r–r-- 1 root root 1704 Jun 29 09:28 privkey1.pem
while the permissions to access to the folder itself:
drwxr-xr-x 2 root root 4096 Jun 29 09:28 domain-name
The live subfolder under /etc/letsencrypt/ which contain the links provided by letsencrypt automatic renew system are set with the same permissions.
I added influxdb to the root group to assure proper access to the files, since the folder permissions would inhibit the access to non-root users, but no way!
Is the private key definitely embedded in your pem file? Looks like in both your examples, root is the owner of the private key, instead of influxdb . That might explain why permissions 600 won’t work.
The docs imply that you might be able to set the paths to each file , maybe give that a shot if symlinks aren’t working - ( * https-certificate to /etc/ssl/<signed-certificate-file>.crt (or to /etc/ssl/<bundled-certificate-file>.pem ))
