Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2: Small additions to the enable-tls guide #5628

Merged
merged 5 commits into from
Oct 2, 2024
Merged

v2: Small additions to the enable-tls guide #5628

merged 5 commits into from
Oct 2, 2024

Conversation

ilario
Copy link
Contributor

@ilario ilario commented Oct 2, 2024

This includes two small additions to the very good guide written in #5616.

  1. enable-tls add IP in san.cnf

When accessing the InfluxDB server via IP, the IP should be included in the subjectAltName.
If the IP is not present, errors like this will appear in the logs every 10 seconds (these specific errors arose from the scraper created by the onboarding/quick-start, which causes also these ones related issues influxdata/ui#6956 and influxdata/influxdb#24882):

Sep 25 14:00:02 host influxd-systemd-start.sh[11782]: ts=2024-09-25T12:00:02.055617Z lvl=error msg="Unable to gather" log_id=0rr6jG30000 service=scraper scraper-name="new target" error="Get \"https://10.1.2.3:8086/metrics\": tls: failed to verify certificate: x509: cannot validate certificate for 10.1.2.3 because it doesn't contain any IP SANs"
Sep 25 14:00:02 host influxd-systemd-start.sh[11782]: ts=2024-09-25T12:00:02.055397Z lvl=info msg="http: TLS handshake error from 10.1.2.3:46380: remote error: tls: bad certificate" log_id=0rr6jG30000 service=http
  1. enable-tls add chown of .crt and .key to influxdb user

In the guide, there is a chmod command for setting the permissions, but the openssl command usually already sets them right. Instead, what is usually needed (at least on Debian) is to make these files accessible to the influxdb user and group.

jstirnaman
jstirnaman approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@jstirnaman jstirnaman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks for contributing this.

content/influxdb/v2/admin/security/enable-tls.md Outdated Show resolved Hide resolved
content/influxdb/v2/admin/security/enable-tls.md Outdated Show resolved Hide resolved
@jstirnaman jstirnaman merged commit c40aec6 into influxdata:master Oct 2, 2024
1 check passed
jstirnaman
jstirnaman reviewed Oct 2, 2024
View reviewed changes
content/influxdb/v2/admin/security/enable-tls.md
@@ -116,6 +116,7 @@ cat > san.cnf <<EOF
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
IP.1 = 10.1.2.3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to add an introduction to this code sample.

@jstirnaman jstirnaman mentioned this pull request Oct 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jstirnaman jstirnaman jstirnaman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ilario @jstirnaman