This isn't really a satisfactory solution. This thread may be about self-signed certs, but in your default letsencrypt cert environment concatting fullchain.pem and privatekey.pem isn't an option. You'd have to write a monitoring progam that watches for changes and creates a new concatenation every time a new cert is issued. Adding a private key config option is more like it. And there's an issue open for longer than 1 year with a PR that failed 2 checks.
On Friday, November 11, 2016 at 5:20:04 PM UTC+1, [email protected] wrote: > This is possible but it looks like the Kapacitor config has drifted a bit > from the InfluxDB config. To specify the server private key for Kapacitor > simply append the key to the end of the cert file. This way the cert file has > both the ca cert and the server key. This is the way InfluxDB used to work, > I'll create an issue to update Kapacitor to have the same config, but for now > the concatenation workaround should get you going. > > > Also note that since the cert is self signed you will need to configure > Kapacitor's InfluxDB client with the same cert. That config looks something > like this, in the kapacitor.conf file: > > > [[influxdb]] > ... > ssl-cert = "/etc/influxdb/internal.cert" > ssl-ca = "/etc/influxdb/internal.ca" > ... > > > On Thursday, November 10, 2016 at 3:16:21 PM UTC-7, [email protected] > wrote:Hi, I'm thinking about add a SSL layer to InfluxDB, Telegraf and > Kapacitor. > Between InfluxDB and Telegraf, I don't have any issue but between InfluxDB > and Kapacitor I have. > These are the logs of both apps. > kapacitor: > log messages must have 'L!' prefix where L is one of 'D', 'I', 'W', 'E'[log] > 2016/11/10 21:21:20 http: TLS handshake error from 127.0.0.1:22865: remote > error: bad certificate > influxdb: > Post > https://localhost:9092/write?consistency=&db=telegraf&precision=ns&rp=default: > x509: certificate signed by unknown authority > But if I run "kapacitor -skipVerify -url https://localhost:9092 list tasks", > I will return what I expect, a list of my tasks. > The configuration of influxdb is: > [http] > enabled = true > bind-address = ":8086" > auth-enabled = false > log-enabled = true > write-tracing = false > pprof-enabled = false > https-enabled = true > https-certificate = "/etc/influxdb/internal.cert" > ### Use a separate private key location. > https-private-key = "/etc/influxdb/internal.key" > max-row-limit = 10000 > realm = "InfluxDB" > And Kapacitor: > [http] > # HTTP API Server for Kapacitor > # This server is always on, > # it servers both as a write endpoint > # and as the API endpoint for all other > # Kapacitor calls. > bind-address = ":9092" > auth-enabled = false > log-enabled = true > write-tracing = false > pprof-enabled = false > https-enabled = true > https-certificate = "/etc/influxdb/internal.kapacitor.pem" > Kapacitor uses the same certificate which is used by influxdb, but this file > is a concatenation of the private key and de certiticate. > In the Telegraf's configuration, I'm using the " ssl_ca = > "/etc/telegraf/cacert.pem" option. As you can see, telegraf only need the CA > certificate to work correctly, but Kapacitor doesn't have this option. > And Influxdb doesn't have the "insecure_skip_verify" option like telegraf > does. > So how you can use your own certificates with Kapacitor and Influxdb ? > I'm using Debian 8.6 kapacitor 1.0.2-1, influxdb 1.0.2-1 and telegraf > 1.0.1-1. > Thanks. -- Remember to include the version number! --- You received this message because you are subscribed to the Google Groups "InfluxData" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/influxdb. To view this discussion on the web visit https://groups.google.com/d/msgid/influxdb/6fb2537a-c176-4f3f-a4b1-dfa3599b6dc7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
