SSL with influxDB on Grafana


(Arethusa) #1

Hello,

The normal authentication works, so now I try to enable SSL on influxdb (linked with grafana).

So on my influxdb server I done :

sudo openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/influxdb-selfsigned.key -out /etc/ssl/influxdb-selfsigned.crt -days 365

Then, on /etc/influxdb/influxdb.conf I done :

[http]
auth-enable = true
https-enabled = true

https-certificate = "/etc/ssl/influxdb-selfsigned.crt"
https-private-key = "/etc/ssl/influxdb-selfsigned.key"

When I restart I don’t have mistake on service.

But on grafana’s graph did not works.

On HTTP Auth, I selected “With credentials” and “Skip TLS verification”

I suppose I have forget something or do mistake!

Thank you.


(Michael Friedrich) #2

What’s the point with having TLS setup for InfluxDB but skipping it in Grafana itself?


(Arethusa) #3

Because the Suricata prob see the password on clear (from influxDB details).

But I have more information, when y do “save & test” I have "Bad Gateway(502)

And on influxdb I have this log:

Nov 14 15:12:45 influxdbServer influxd: 2018/11/14 15:12:45 http: TLS handshake error from <WEB-server @IP>:48848: tls: first record does not look like a TLS handshake
Nov 14 15:12:48 influxdbServer influxd: 2018/11/14 15:12:48 http: TLS handshake error from <Icinga2 @IP:53402: tls: oversized record received with length 21536

Thank you.


(Michael Friedrich) #4

What exactly is that?


(Arethusa) #5

Suricata in an IDS / IPS network probe who scan vulnerability.


(Arethusa) #6

Maybe you must know that my server Icinga2, InfluxDB, and Grafana don’t have the same IP, it’s not the same server.

I just fix one error, I had ssl_enable = true on my server Icinga2 (vim /etc/icinga2/feartures-enabled/influxdb.conf)

So now, I only have
Nov 14 15:12:45 influxdbServer influxd: 2018/11/14 15:12:45 http: TLS handshake error from <WEB-server @IP>:48848: tls: first record does not look like a TLS handshake

So I suppose I have to do a thing like that on my webserver or on Grafana.


(Michael Friedrich) #7

So the TLS connection between Grafana and InfluxDB’s HTTP API doesn’t work. Googling the error message leads to some specific Golang code, and the idea that the https protocol now receives http traffic.

Seems that your Grafana isn’t talking https but http only.


(Arethusa) #8

I have to confirm but that look good… On grafana, on “HTTP Auth” I had HTTP://@ip… Instead of HTTPS://@ip…
Now i thinks It’s ok.

When I will be sure, I Show my all configuration and explication.

Thank you.


(Arethusa) #9

Ok, that works.

In my case, I have 3 different servers, one for Icinga2, one for InfluxDB, and one for Grafana (and Icingaweb2).

I have 2 users for InfluxDB, A read Only User and an Admin User

CREATE USER InfluxAdmin with password `password` with all privileges;
CREATE USER  ReadOnlyUser with password `password`;
GRANT READ on icinga2 to ReadOnlyUser;

So, the first thing to do is to modify the influxdb.conf on the Icinga2 server and add ssl_enable = true

[root@icinga ~]# vi /etc/icinga2/features-enabled/influxdb.conf 

/** 
* The InfluxdbWriter type writes check result metrics and 
* performance data to an InfluxDB HTTP API 
*/ 
library "perfdata" 
object InfluxdbWriter "influxdb" { 
host = "@IP InfluxDB" 
port = 8086 
database = "icinga2" 
username = "InfluxAdmin" 
password = "InfluxAdminPasswd" 
host_template = { 
measurement = "$host.check_command$" 
tags = { 
hostname = "$host.name$" 
} 
} 
service_template = { 
measurement = "$service.check_command$" 
tags = { 
hostname = "$host.name$" 
service = "$service.name$" 
} 
} 
enable_send_thresholds = true 
enable_ send_metadata = true
ssl_enable = true  #THIS LINE !
}

Then I create my selfsigned certificate (or other type)

[root@influxdb ~]# openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/influxdb-selfsigned.key -out /etc/ssl/influxdb-selfsigned.crt -days 365

After, I modify the [http] part on influxdb.conf on InfluxDB server.

[root@influxdb ~]#  vim /etc/influxdb/influxdb.conf

[http]
auth-enable = true
https-enabled = true

https-certificate = "/etc/ssl/influxdb-selfsigned.crt"
https-private-key = "/etc/ssl/influxdb-selfsigned.key"

Next, I restart Icinga2 and InfluxDB (maybe the reload is sufisant)

[root@icinga ~]# systemctl restart icinga2
[root@influxdb ~]# systemctl restart influxdb 

And to finish, I edit the Grafana Data sources like this:

And now It’s ok, the password on “influxDB details” is encrypted and not scan by Suricata prob.