If you want to use letsencrypt certificates with influxdb you may experience problems. At least I did. To save time for others I share a solution that make things work below.
The official docs on this are [here](https://docs.influxdata.com/influxdb/v2.0/security/enable-tls/).
letsencrypt store certificates in
/etc/letsencrypt/archive/___domain___
where __domain__ is something like www.vscp.org or similar for which you installed a certificate. The default folder content looks like this
drwxr-xr-x 2 root root 4096 Aug 26 13:09 .
drwx------ 3 root root 4096 Aug 26 13:09 ..
-rw-r--r-- 1 root root 1842 Aug 26 13:09 cert1.pem
-rw-r--r-- 1 root root 3749 Aug 26 13:09 chain1.pem
-rw-r--r-- 1 root root 5591 Aug 26 13:09 fullchain1.pem
-rw------- 1 root root 1704 Aug 26 13:09 privkey1.pem
There is also another folder
/etc/letsencrypt/live/___domain___
which holds symbolic links to the files in the archive folder.
There are four links in the live folder normally looking like this
lrwxrwxrwx 1 root root 38 Aug 26 13:56 cert.pem -> ../../archive/___domain___/cert1.pem lrwxrwxrwx 1 root root 39 Aug 26 13:56 chain.pem -> ../../archive/___domain___/chain1.pem lrwxrwxrwx 1 root root 43 Aug 26 13:56 fullchain.pem -> ../../archive/___domain___/fullchain1.pem lrwxrwxrwx 1 root root 41 Aug 26 13:56 privkey.pem -> ../../archive/___domain___/privkey1.pem
The influxdb server read certificates after it has switched user to influxdb user. Looking at the above it is clear that it will be unable to read the certificates and therefore fail to do so if we just link to the folder as it is by default.
Luckily we can relax the security. Certbot will preserve changes to the group mode and group owner for files/folders (Info here) .
So we create a group that we will use here. This is needed because there may be other servers other than influxdb that need access to the certificate files. So in my case I add a line
newgrp:x:113:root,influxdb
By default the /etc/letsencrypt folder looks like this
drwxr-xr-x 9 root root 4096 Sep 15 14:58 .
drwxr-xr-x 81 root root 4096 Sep 16 11:53 ..
drwx------ 3 root root 4096 Aug 26 13:04 accounts
drwx------ 3 root root 4096 Aug 26 13:09 archive
drwxr-xr-x 2 root root 4096 Aug 26 13:09 csr
drwx------ 2 root root 4096 Aug 26 13:09 keys
drwx------ 3 root root 4096 Aug 26 13:09 live
-rw-r--r-- 1 root root 721 Aug 26 13:04 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4096 Aug 26 13:09 renewal
drwxr-xr-x 5 root root 4096 Aug 26 13:04 renewal-hooks
-rw-r--r-- 1 root root 424 Aug 26 13:04 ssl-dhparams.pem
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-ssl-dhparams-pem-digest.txt
We need to change the group for two of the folders
chgrp newgrp /etc/letsencrypt/archive chgrp newgrp /etc/letsencrypt/live
We also need to give the group newgrp access to the folders. This we do with
chmod g+rx /etc/letsencrypt/archive chmod g+rx /etc/letsencrypt/live
The folder /etc/letsencrypt should now look like this
drwxr-xr-x 9 root root 4096 Sep 15 14:58 . drwxr-xr-x 81 root root 4096 Sep 16 18:17 .. drwx------ 3 root root 4096 Aug 26 13:04 accounts drwxr-x--- 3 root newgrp 4096 Aug 26 13:09 archive drwxr-xr-x 2 root root 4096 Aug 26 13:09 csr drwx------ 2 root root 4096 Aug 26 13:09 keys drwxr-x--- 3 root bewgrp 4096 Aug 26 13:09 live -rw-r--r-- 1 root root 721 Aug 26 13:04 options-ssl-nginx.conf drwxr-xr-x 2 root root 4096 Aug 26 13:09 renewal drwxr-xr-x 5 root root 4096 Aug 26 13:04 renewal-hooks -rw-r--r-- 1 root root 424 Aug 26 13:04 ssl-dhparams.pem -rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-options-ssl-nginx-conf-digest.txt -rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-ssl-dhparams-pem-digest.txt
The private key (privkey1.pem) is not accessible by influxdb as it is now so we need to change it’s group to our newly created newgrp
chgrp newgrp /etc/letsencrypt/archive/__domain__/privkey1.pem chmod g+r /etc/letsencrypt/archive/__domain__/privkey1.pem
The content of the folder should now look something like
drwxr-xr-x 2 root root 4096 Aug 26 13:09 . drwx------ 3 root root 4096 Aug 26 13:09 .. -rw-r--r-- 1 root root 1842 Aug 26 13:09 cert1.pem -rw-r--r-- 1 root root 3749 Aug 26 13:09 chain1.pem -rw-r--r-- 1 root root 5591 Aug 26 13:09 fullchain1.pem -rw-r----- 1 root newgrp 1704 Aug 26 13:09 privkey1.pem
Also the live folder need some changes
Issue
chgrp -h newgrp /etc/letsencrypt/__domain__/privkey.pem
to change the group permissions for the symbolic link
drwxr-xr-x 2 root root 4096 Aug 26 13:09 . drwxr-x--- 3 root vscp2 4096 Aug 26 13:09 .. lrwxrwxrwx 1 root root 38 Aug 26 13:09 cert.pem -> ../../archive/vscp2.vscp.org/cert1.pem lrwxrwxrwx 1 root root 39 Aug 26 13:09 chain.pem -> ../../archive/vscp2.vscp.org/chain1.pem lrwxrwxrwx 1 root root 43 Aug 26 13:09 fullchain.pem -> ../../archive/vscp2.vscp.org/fullchain1.pem lrwxrwxrwx 1 root newgrp 41 Aug 26 13:09 privkey.pem -> ../../archive/vscp2.vscp.org/privkey1.pem -rw-r--r-- 1 root root 692 Aug 26 13:09 README
The configuration file for influxdb is located at
/etc/influxdb/config.toml
by default. We edit this file to look like this
bolt-path = "/var/lib/influxdb/influxd.bolt" engine-path = "/var/lib/influxdb/engine" query-concurrency = 20 query-queue-size = 15 secret-store = "vault" session-length = 120 tls-cert = "/etc/letsencrypt/live/__domain__/fullchain.pem" tls-key = "/etc/letsencrypt/live/__domain__/privkey.pem"
Only the last two lines are important here. Read the influxdb configuration documents for description of the other options.
Now restart the influxdb server
systemctl restart influxdb
You can check that the certificate is working with
curl -v https://__domain__:8086/api/v2/ping
Hope you have a secure influxdb running now.