Influxdb Output - Support SSL

[dblooman]

Would like to use self signed certs with telegraf, seems to be missing from the output options and config.

[sparrc]

thanks for bringing it to my attention :-)

[dblooman]

I was going to submit a PR, but it doesn't seem like certificates are actually supported in the Go Influx client, so perhaps one for that project too. Ideal situation is a similar setup to the Ruby SDK for influx

[sparrc]

I'm not very familiar with the Ruby Influx SDK, could you include a link to the relevant code?

[dblooman]

SSL verify, SSL enabled and cert path are what we should add. https://github.com/influxdb/influxdb-ruby/blob/master/lib/influxdb/client/http.rb

If the cert store can't be used as in ruby, a ca.pem, cert and key setup would work too.

    cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
    if err != nil {
        log.Fatal(err)
    }

    // Load CA cert
    caCert, err := ioutil.ReadFile(*caFile)
    if err != nil {
        log.Fatal(err)
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)

    // Setup HTTPS client
    tlsConfig := &tls.Config{
        Certificates:       []tls.Certificate{cert},
        RootCAs:            caCertPool,
        InsecureSkipVerify: true,
    }
    tlsConfig.BuildNameToCertificate()
    transport := &http.Transport{TLSClientConfig: tlsConfig}
    client := &http.Client{Transport: transport}

[Millnert]

Missing this. Don't know Ruby. How can we get it in?

[smebberson]

Yeah, it would be great to get some SSL support here. Can't really configure InfluxDB over HTTPS without Telegraf supporting https connections too.

[deanefrati]

+1

[deanefrati]

@sparrc any update on this? We would really like to use telegraf but our use case requires data transfer over public wire which requires authenticating with influx and TLS.

[sparrc]

I'll try to get to this next week. It will require a change to the influxdb client as well

[deanefrati]

thanks @sparrc please let me know if there is anything i can do to help

[Ormod]

Any progress on this one?

[sparrc]

InfluxDB client has tls support now as of Wednesday, I should be able to add this into master today for testing

[sparrc]

this is now in master, if anyone has cycles to test it out on a working influxdb with ssl setup I'd be much obliged!

[cherwin]

Anyone has tested this out yet with any success? I'm getting x509: certificate signed by unknown authority. Relevant piece of configuration file looks like this;

ssl_ca = "/etc/ssl/influxca.pem"
urls = ["https://<redacted>:8086"]

[yankcrime]

I've just switched about 20 or so nodes in our estate to using the native SSL support (away from a whacky stunnel4 setup) and it's working fine. We make use of Puppet's SSL configuration for our PKI, so this ends up looking like:

[[outputs.influxdb]]
  urls = ["https://influxdb.some.where:8086"]
  ssl_ca = "/var/lib/puppet/ssl/certs/ca.pem"
  ssl_cert = "/var/lib/puppet/ssl/certs/some.server.co.uk.pem"
  ssl_key = "/var/lib/puppet/ssl/private_keys/some.server.co.uk.pem"

[sparrc]

@cherwin you need ssl_cert and ssl_key as well for a valid self-signed setup

[cherwin]

@yankcrime @sparrc awesome, exactly what I needed. Why isn't it enough to only trust the CA on telegraf's side?

[sparrc]

@cherwin that might be a bug here: https://github.com/influxdata/telegraf/blob/master/internal/internal.go#L90, we don't create a certificate at all unless all three are defined

[sparrc]

@cherwin could you open an issue?

[cherwin]

@sparrc will do