Influxdb: Document the integration with LetsEncrypt
LetsEncrypt has revolutionized SSL certificate generation, and is extremely easy to use (letsencrypt certonly -d mydomain) and automate. It would be fantastic if InfluxDB could use directly the .pem files that LetsEncrypt generates (it appears that some files need to be concatenated now, but it's unclear which). There's also an option to specify the private key separately, which is nice but confuses things for LetsEncrypt users.
LetsEncrypt generates the following files:
cert.pem (not interesting)
chain.pem (not interesting)
fullchain.pem <-- full certificate chain
privkey.pem <-- private key
The correct configuration in /etc/influxdb/influxdb/conf is:
https-certificate = "/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
### Use a separate private key location.
https-private-key = "/etc/letsencrypt/live/yourdomain.com/privkey.pem"
This makes setting up SSL easy and something the user will never have to worry about, as LetsEncrypt will automatically renew the files before the certificate expiration date.
Below are potential errors, for SEO.
Trying to supply cert.pem to https-certificate results in the following error:
crypto/tls: found a certificate rather than a key in the PEM for the private key
even if https-private-key points to privkey.pem.
Not including the full chain can also result in unable to verify the first certificate when connecting with certain client libraries, even though the connection succeeds in the browser.
dandv
All 6 comments
Turns out InfluxDB can actually already use the fullchain.pem and privkey.pem files, though only for the [http] section, due to #7284.
This issue then becomes one of documenting how this can be done. Recommending a specific certificate tool may be a tiny bit beyond the scope of the docs, but given the lack of an example on that page, which has lead to use questions on the forum, I'm inclined to think it would help much more than it would harm.
Happy to submit a PR once #7284 is settled.
dandv
on 10 Sep 2016
Since this is docs issue. Can you re-open it here: https://github.com/influxdata/docs.influxdata.com
jwilder
on 16 Sep 2016
Will comment here and keeps looking, but LetsEncrypt also generate really short-living certs (3 months).
Is there a way to reload the certs without stop/start influxdb ?
prune998
on 24 Feb 2017
@dandv I just want to say thanks for your insights... I was using the cert.pem for https-certificate rather than fullchain.pem. Also had to change some folder permissions (/etc/letsencrypt/archive and /etc/letsencrypt/live to 750) and added user influxdb to the root group to get it to work, but it works like a charm after that :+1:
vicatcu
on 15 Apr 2017
Any solution for what @prune998 asked?
It will be good to force certificate reloading from point to point without having to restart the InfluxDB instance completely.
Has anyone got any way of doing it?
odarriba
on 14 Dec 2017
check Caddy, nginx-lego or traefik who implemented that in GO already... maybe it can help get it done faster (as this issue is more than a year old now :) )
prune998
on 14 Dec 2017
Related issues
bigKS
路
3Comments
jayannah
路
3Comments
deepujain
路
3Comments
756445638
路
3Comments
airyland
路
3Comments
Most helpful comment
@dandv I just want to say thanks for your insights... I was using the cert.pem for https-certificate rather than fullchain.pem. Also had to change some folder permissions (/etc/letsencrypt/archive and /etc/letsencrypt/live to 750) and added user influxdb to the root group to get it to work, but it works like a charm after that :+1: