Categories
influxdb

#Influxdb and #letsencrypt

If you want to use letsencrypt certificates with influxdb you may experience problems. At least I did. To save time for others I share a solution that make things work below.

The official docs on this are [here](https://docs.influxdata.com/influxdb/v2.0/security/enable-tls/).

letsencrypt store certificates in

/etc/letsencrypt/archive/___domain___

where __domain__ is something like www.vscp.org or similar for which you installed a certificate. The default folder content looks like this

drwxr-xr-x 2 root root 4096 Aug 26 13:09 .
drwx------ 3 root root 4096 Aug 26 13:09 ..
-rw-r--r-- 1 root root 1842 Aug 26 13:09 cert1.pem
-rw-r--r-- 1 root root 3749 Aug 26 13:09 chain1.pem
-rw-r--r-- 1 root root 5591 Aug 26 13:09 fullchain1.pem
-rw------- 1 root root 1704 Aug 26 13:09 privkey1.pem

There is also another folder

/etc/letsencrypt/live/___domain___

which holds symbolic links to the files in the archive folder.

There are four links in the live folder normally looking like this

lrwxrwxrwx 1 root root 38 Aug 26 13:56 cert.pem -> ../../archive/___domain___/cert1.pem
lrwxrwxrwx 1 root root 39 Aug 26 13:56 chain.pem -> ../../archive/___domain___/chain1.pem
lrwxrwxrwx 1 root root 43 Aug 26 13:56 fullchain.pem -> ../../archive/___domain___/fullchain1.pem
lrwxrwxrwx 1 root root 41 Aug 26 13:56 privkey.pem -> ../../archive/___domain___/privkey1.pem

The influxdb server read certificates after it has switched user to influxdb user. Looking at the above it is clear that it will be unable to read the certificates and therefore fail to do so if we just link to the folder as it is by default.

Luckily we can relax the security. Certbot will preserve changes to the group mode and group owner for files/folders (Info here) .

So we create a group that we will use here. This is needed because there may be other servers other than influxdb that need access to the certificate files. So in my case I add a line

newgrp:x:113:root,influxdb

By default the /etc/letsencrypt folder looks like this

drwxr-xr-x 9 root root 4096 Sep 15 14:58 .
drwxr-xr-x 81 root root 4096 Sep 16 11:53 ..
drwx------ 3 root root 4096 Aug 26 13:04 accounts
drwx------ 3 root root 4096 Aug 26 13:09 archive
drwxr-xr-x 2 root root 4096 Aug 26 13:09 csr
drwx------ 2 root root 4096 Aug 26 13:09 keys
drwx------ 3 root root 4096 Aug 26 13:09 live
-rw-r--r-- 1 root root 721 Aug 26 13:04 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4096 Aug 26 13:09 renewal
drwxr-xr-x 5 root root 4096 Aug 26 13:04 renewal-hooks
-rw-r--r-- 1 root root 424 Aug 26 13:04 ssl-dhparams.pem
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-ssl-dhparams-pem-digest.txt

We need to change the group for two of the folders

chgrp newgrp /etc/letsencrypt/archive
chgrp newgrp /etc/letsencrypt/live

We also need to give the group newgrp access to the folders. This we do with

chmod g+rx /etc/letsencrypt/archive 
chmod g+rx /etc/letsencrypt/live

The folder /etc/letsencrypt should now look like this

drwxr-xr-x 9 root root 4096 Sep 15 14:58 .
drwxr-xr-x 81 root root 4096 Sep 16 18:17 ..
drwx------ 3 root root 4096 Aug 26 13:04 accounts
drwxr-x--- 3 root newgrp 4096 Aug 26 13:09 archive
drwxr-xr-x 2 root root 4096 Aug 26 13:09 csr
drwx------ 2 root root 4096 Aug 26 13:09 keys
drwxr-x--- 3 root bewgrp 4096 Aug 26 13:09 live
-rw-r--r-- 1 root root 721 Aug 26 13:04 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4096 Aug 26 13:09 renewal
drwxr-xr-x 5 root root 4096 Aug 26 13:04 renewal-hooks
-rw-r--r-- 1 root root 424 Aug 26 13:04 ssl-dhparams.pem
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-ssl-dhparams-pem-digest.txt

The private key (privkey1.pem) is not accessible by influxdb as it is now so we need to change it’s group to our newly created newgrp

chgrp newgrp /etc/letsencrypt/archive/__domain__/privkey1.pem
chmod g+r /etc/letsencrypt/archive/__domain__/privkey1.pem

The content of the folder should now look something like

drwxr-xr-x 2 root root 4096 Aug 26 13:09 .
drwx------ 3 root root 4096 Aug 26 13:09 ..
-rw-r--r-- 1 root root 1842 Aug 26 13:09 cert1.pem
-rw-r--r-- 1 root root 3749 Aug 26 13:09 chain1.pem
-rw-r--r-- 1 root root 5591 Aug 26 13:09 fullchain1.pem
-rw-r----- 1 root newgrp 1704 Aug 26 13:09 privkey1.pem

Also the live folder need some changes

Issue

chgrp -h newgrp /etc/letsencrypt/__domain__/privkey.pem

to change the group permissions for the symbolic link

drwxr-xr-x 2 root root 4096 Aug 26 13:09 .
drwxr-x--- 3 root vscp2 4096 Aug 26 13:09 ..
lrwxrwxrwx 1 root root 38 Aug 26 13:09 cert.pem -> ../../archive/vscp2.vscp.org/cert1.pem
lrwxrwxrwx 1 root root 39 Aug 26 13:09 chain.pem -> ../../archive/vscp2.vscp.org/chain1.pem
lrwxrwxrwx 1 root root 43 Aug 26 13:09 fullchain.pem -> ../../archive/vscp2.vscp.org/fullchain1.pem
lrwxrwxrwx 1 root newgrp 41 Aug 26 13:09 privkey.pem -> ../../archive/vscp2.vscp.org/privkey1.pem
-rw-r--r-- 1 root root 692 Aug 26 13:09 README

The configuration file for influxdb is located at

/etc/influxdb/config.toml

by default. We edit this file to look like this

bolt-path = "/var/lib/influxdb/influxd.bolt"
engine-path = "/var/lib/influxdb/engine"
query-concurrency = 20
query-queue-size = 15
secret-store = "vault"
session-length = 120
tls-cert = "/etc/letsencrypt/live/__domain__/fullchain.pem"
tls-key = "/etc/letsencrypt/live/__domain__/privkey.pem"

Only the last two lines are important here. Read the influxdb configuration documents for description of the other options.

Now restart the influxdb server

systemctl restart influxdb

You can check that the certificate is working with

curl -v https://__domain__:8086/api/v2/ping

Hope you have a secure influxdb running now.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.