{"id":5342,"date":"2021-09-16T20:56:45","date_gmt":"2021-09-16T18:56:45","guid":{"rendered":"https:\/\/grodansparadis.com\/wordpress\/?p=5342"},"modified":"2021-09-16T21:43:35","modified_gmt":"2021-09-16T19:43:35","slug":"influxdb-and-letsencrypt","status":"publish","type":"post","link":"https:\/\/grodansparadis.com\/wordpress\/?p=5342","title":{"rendered":"#Influxdb and #letsencrypt"},"content":{"rendered":"\n

If you want to use letsencrypt certificates with influxdb you may experience problems. At least I did. To save time for others I share a solution that make things work below.<\/p>\n\n\n\n

The official docs on this are [here](https:\/\/docs.influxdata.com\/influxdb\/v2.0\/security\/enable-tls\/).<\/p>\n\n\n\n

letsencrypt<\/a> store certificates in <\/p>\n\n\n\n

\/etc\/letsencrypt\/archive\/___domain___<\/pre>\n\n\n\n
where __domain__<\/em> is something like www.vscp.org<\/em> or similar for which you installed a certificate. The default folder content looks like this<\/p>\n\n\n\n
drwxr-xr-x 2 root root 4096 Aug 26 13:09 .
drwx------ 3 root root 4096 Aug 26 13:09 ..
-rw-r--r-- 1 root root 1842 Aug 26 13:09 cert1.pem
-rw-r--r-- 1 root root 3749 Aug 26 13:09 chain1.pem
-rw-r--r-- 1 root root 5591 Aug 26 13:09 fullchain1.pem
-rw------- 1 root root 1704 Aug 26 13:09 privkey1.pem<\/pre>\n\n\n\n
There is also another folder <\/p>\n\n\n\n
\/etc\/letsencrypt\/live\/___domain___<\/pre>\n\n\n\n
which holds symbolic links to the files in the archive folder. <\/p>\n\n\n\n
There are four links in the live folder normally looking like this<\/p>\n\n\n\n
lrwxrwxrwx 1 root root 38 Aug 26 13:56 cert.pem -> ..\/..\/archive\/___domain___\/cert1.pem\nlrwxrwxrwx 1 root root 39 Aug 26 13:56 chain.pem -> ..\/..\/archive\/___domain___\/chain1.pem\nlrwxrwxrwx 1 root root 43 Aug 26 13:56 fullchain.pem -> ..\/..\/archive\/___domain___\/fullchain1.pem\nlrwxrwxrwx 1 root root 41 Aug 26 13:56 privkey.pem -> ..\/..\/archive\/___domain___\/privkey1.pem<\/pre>\n\n\n\n
The influxdb server read certificates after it has switched user to influxdb user. Looking at the above it is clear that it will be unable to read the certificates and therefore fail to do so if we just link to the folder as it is by default.<\/p>\n\n\n\n
Luckily we can relax the security. Certbot<\/a> will preserve changes to the group mode and group owner for files\/folders (Info here<\/a>) . <\/p>\n\n\n\n
So we create a group that we will use here. This is needed because there may be other servers other than influxdb that need access to the certificate files. So in my case I add a line<\/p>\n\n\n\n
newgrp:x:113:root,influxdb<\/pre>\n\n\n\n
By default the \/etc\/letsencrypt<\/em> folder looks like this<\/p>\n\n\n\n
drwxr-xr-x 9 root root 4096 Sep 15 14:58 .
drwxr-xr-x 81 root root 4096 Sep 16 11:53 ..
drwx------ 3 root root 4096 Aug 26 13:04 accounts
drwx------ 3 root root 4096 Aug 26 13:09 archive
drwxr-xr-x 2 root root 4096 Aug 26 13:09 csr
drwx------ 2 root root 4096 Aug 26 13:09 keys
drwx------ 3 root root 4096 Aug 26 13:09 live
-rw-r--r-- 1 root root 721 Aug 26 13:04 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4096 Aug 26 13:09 renewal
drwxr-xr-x 5 root root 4096 Aug 26 13:04 renewal-hooks
-rw-r--r-- 1 root root 424 Aug 26 13:04 ssl-dhparams.pem
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-ssl-dhparams-pem-digest.txt<\/pre>\n\n\n\n
We need to change the group for two of the folders <\/p>\n\n\n\n
chgrp newgrp<\/em> \/etc\/letsencrypt\/archive\nchgrp newgrp<\/em> \/etc\/letsencrypt\/live<\/pre>\n\n\n\n
We also need to give the group newgrp<\/em> access to the folders. This we do with<\/p>\n\n\n\n
chmod g+rx \/etc\/letsencrypt\/archive \nchmod g+rx \/etc\/letsencrypt\/live<\/pre>\n\n\n\n
The folder \/etc\/letsencrypt<\/em> should now look like this<\/p>\n\n\n\n
drwxr-xr-x 9 root root 4096 Sep 15 14:58 .\ndrwxr-xr-x 81 root root 4096 Sep 16 18:17 ..\ndrwx------ 3 root root 4096 Aug 26 13:04 accounts\ndrwxr-x--- 3 root newgrp 4096 Aug 26 13:09 archive\ndrwxr-xr-x 2 root root 4096 Aug 26 13:09 csr\ndrwx------ 2 root root 4096 Aug 26 13:09 keys\ndrwxr-x--- 3 root bewgrp 4096 Aug 26 13:09 live\n-rw-r--r-- 1 root root 721 Aug 26 13:04 options-ssl-nginx.conf\ndrwxr-xr-x 2 root root 4096 Aug 26 13:09 renewal\ndrwxr-xr-x 5 root root 4096 Aug 26 13:04 renewal-hooks\n-rw-r--r-- 1 root root 424 Aug 26 13:04 ssl-dhparams.pem\n-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-options-ssl-nginx-conf-digest.txt\n-rw-r--r-- 1 root root 64 Aug 26 13:04 .updated-ssl-dhparams-pem-digest.txt<\/pre>\n\n\n\n
The private key (privkey1.pem<\/em>) is not accessible by influxdb as it is now so we need to change it’s group to our newly created newgrp<\/em><\/p>\n\n\n\n
chgrp newgrp<\/em> \/etc\/letsencrypt\/archive\/__domain__\/privkey1.pem\nchmod g+r \/etc\/letsencrypt\/archive\/__domain__\/privkey1.pem<\/pre>\n\n\n\n
The content of the folder should now look something like<\/p>\n\n\n\n
drwxr-xr-x 2 root root 4096 Aug 26 13:09 .\ndrwx------ 3 root root 4096 Aug 26 13:09 ..\n-rw-r--r-- 1 root root 1842 Aug 26 13:09 cert1.pem\n-rw-r--r-- 1 root root 3749 Aug 26 13:09 chain1.pem\n-rw-r--r-- 1 root root 5591 Aug 26 13:09 fullchain1.pem\n-rw-r----- 1 root newgrp 1704 Aug 26 13:09 privkey1.pem<\/pre>\n\n\n\n
Also the live folder need some changes<\/p>\n\n\n\n
Issue<\/p>\n\n\n\n
chgrp -h newgrp \/etc\/letsencrypt\/__domain__\/privkey.pem<\/pre>\n\n\n\n
to change the group permissions for the symbolic link<\/p>\n\n\n\n
drwxr-xr-x 2 root root 4096 Aug 26 13:09 .\ndrwxr-x--- 3 root vscp2 4096 Aug 26 13:09 ..\nlrwxrwxrwx 1 root root 38 Aug 26 13:09 cert.pem -> ..\/..\/archive\/vscp2.vscp.org\/cert1.pem\nlrwxrwxrwx 1 root root 39 Aug 26 13:09 chain.pem -> ..\/..\/archive\/vscp2.vscp.org\/chain1.pem\nlrwxrwxrwx 1 root root 43 Aug 26 13:09 fullchain.pem -> ..\/..\/archive\/vscp2.vscp.org\/fullchain1.pem\nlrwxrwxrwx 1 root newgrp 41 Aug 26 13:09 privkey.pem -> ..\/..\/archive\/vscp2.vscp.org\/privkey1.pem\n-rw-r--r-- 1 root root 692 Aug 26 13:09 README<\/pre>\n\n\n\n
The configuration file for influxdb is located at<\/p>\n\n\n\n
\/etc\/influxdb\/config.toml<\/pre>\n\n\n\n
by default. We edit this file to look like this<\/p>\n\n\n\n
bolt-path = \"\/var\/lib\/influxdb\/influxd.bolt\"\nengine-path = \"\/var\/lib\/influxdb\/engine\"\nquery-concurrency = 20\nquery-queue-size = 15\nsecret-store = \"vault\"\nsession-length = 120\ntls-cert = \"\/etc\/letsencrypt\/live\/__domain__\/fullchain.pem\"\ntls-key = \"\/etc\/letsencrypt\/live\/__domain__\/privkey.pem\"<\/pre>\n\n\n\n
Only the last two lines are important here.  Read the influxdb configuration documents<\/a> for description of the other options.<\/p>\n\n\n\n
Now restart the influxdb server<\/p>\n\n\n\n
systemctl restart influxdb<\/pre>\n\n\n\n
You can check that the certificate is working with<\/p>\n\n\n\n
curl -v https:\/\/__domain__:8086\/api\/v2\/ping<\/pre>\n\n\n\n
Hope you have a secure influxdb running now.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you want to use letsencrypt certificates with influxdb you may experience problems. At least I did. To save time for others I share a solution that make things work below. The official docs on this are [here](https:\/\/docs.influxdata.com\/influxdb\/v2.0\/security\/enable-tls\/). letsencrypt store certificates in \/etc\/letsencrypt\/archive\/___domain___ where __domain__ is something like www.vscp.org or similar for which you installed […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[116],"tags":[],"class_list":["post-5342","post","type-post","status-publish","format-standard","hentry","category-influxdb"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p4raCZ-1oa","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/5342","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5342"}],"version-history":[{"count":2,"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/5342\/revisions"}],"predecessor-version":[{"id":5344,"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/5342\/revisions\/5344"}],"wp:attachment":[{"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/grodansparadis.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}