docs-v2/content/v2.0/security/enable-tls.md

---
title: Enable TLS encryption
seotitle: Enable TLS/SSL encryption
description: >
  Enable Transport Layer Security (TLS) and use the HTTPS protocol to secure communication between clients and InfluxDB.
weight: 101
menu:
  v2_0:
    parent: Security & authorization
v2.0/tags: [security, authentication, tls, https, ssl]
---

Enabling HTTPS encrypts the communication between clients and the InfluxDB server.
When configured with a signed certificate, HTTPS can also verify the authenticity of the InfluxDB server to connecting clients.

This pages outlines how to set up TLS over HTTPS with InfluxDB using either a signed or self-signed certificate.

{{% warn %}}
InfluxData **strongly recommends** enabling HTTPS, especially if you plan on sending requests to InfluxDB over a network.
{{% /warn %}}

## Requirements

To enable HTTPS with InfluxDB, you need a Transport Layer Security (TLS) certificate, also known as a Secured Sockets Layer (SSL) certificate.
InfluxDB supports three types of TLS certificates:

* **Single domain certificates signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority)**

    Single domain certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server.
    These certificates are signed and issued by a trusted, third-party Certificate Authority (CA).
    With this certificate option, every InfluxDB instance requires a unique single domain certificate.

* **Wildcard certificates signed by a Certificate Authority**

    Wildcard certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server.
    Wildcard certificates can be used across multiple InfluxDB instances on different servers.

* **Self-signed certificates**

    Self-signed certificates are _not_ signed by a trusted, third-party CA.
    Unlike CA-signed certificates, self-signed certificates only provide cryptographic security to HTTPS requests.
    They do not allow clients to verify the identity of the InfluxDB server.
    With this certificate option, every InfluxDB instance requires a unique self-signed certificate.
    You can generate a self-signed certificate on your own machine.

<!-- InfluxDB supports certificates composed of a private key file (`.key`) and a signed certificate file (`.crt`) file pair, -->
<!-- as well as certificates that combine the private key file and the signed certificate file into a single bundled file (`.pem`). -->

## Setup InfluxDB to use HTTPS

1. **Download or generate certificate files**
2. **Set certificate file permissions**
3. **Run `influxd` with TLS flags**
4. **Verify TLS connection**

## Enable HTTPS with a CA-signed certificate

1. **Install the certificate**

    Place the private key file (`.key`) and the signed certificate file (`.crt`) in the `/etc/ssl/` directory.
    (Other paths will also work.)

2. **Set certificate file permissions**

    The user running InfluxDB must have read permissions on the TLS certificate.

    {{% note %}}You may opt to set up multiple users, groups, and permissions.
    Ultimately, make sure all users running InfluxDB have read permissions for the TLS certificate.
    {{% /note %}}

    Run the following command to give InfluxDB read and write permissions on the certificate files.

    ```bash
    sudo chmod 644 /etc/ssl/<CA-certificate-file>
    sudo chmod 600 /etc/ssl/<private-key-file>
    ```

3. **Run `influxd` with TLS flags**

    Start InfluxDB with TLS command line flags:

    ```bash
    influxd \
    --tls-cert "/etc/ssl/influxdb-selfsigned.crt" \
    --tls-key "/etc/ssl/influxdb-selfsigned.key"
    ```

4. **Verify TLS connection**

    Ensure you can connect over HTTPS by running

    ```
    curl -v https://influxdb:9999/api/v2/ping
    ```

    With this command, you should see output confirming a succussful TLS handshake.

## Enable HTTPS with a self-signed certificate

1. **Generate a self-signed certificate**

    Use the `openssl` utility (preinstalled on many OSes) to create a certificate.
    The following command generates a private key file (`.key`) and a self-signed
    certificate file (`.crt`) which remain valid for the specified `NUMBER_OF_DAYS`.
    It outputs those files to `/etc/ssl/` and gives them the required permissions.
    (Other paths will also work.)

    ```bash
    sudo openssl req -x509 -nodes -newkey rsa:2048 \
    -keyout /etc/ssl/influxdb-selfsigned.key \
    -out /etc/ssl/influxdb-selfsigned.crt \
    -days <NUMBER_OF_DAYS>
    ```

    When you execute the command, it will prompt you for more information.
    You can choose to fill out that information or leave it blank; both actions generate valid certificate files.

2. **Run `influxd` with TLS flags**

    Start InfluxDB with TLS command line flags:

    ```bash
    influxd \
    --tls-cert "/etc/ssl/influxdb-selfsigned.crt" \
    --tls-key "/etc/ssl/influxdb-selfsigned.key"
    ```

3. **Verify TLS connection**

    Ensure you can connect over HTTPS by running

    ```
    curl -vk https://influxdb:9999/api/v2/ping
    ```

    With this command, you should see output confirming a succussful TLS handshake.

## Connect Telegraf to a secured InfluxDB instance

To connect [Telegraf](/telegraf/latest/) to an InfluxDB 2.0 instance with TLS enabled,
update the following `influxdb_v2` output settings in your Telegraf configuration file:

- Update urls to use https instead of http.
- If using a self-signed certificate, uncomment and set `insecure_skip_verify` to true.

### Example configuration

```toml
###############################################################################
#                            OUTPUT PLUGINS                                   #
###############################################################################

# Configuration for sending metrics to InfluxDB
[[outputs.influxdb_v2]]
  ## The URLs of the InfluxDB cluster nodes.
  ##
  ## Multiple URLs can be specified for a single cluster, only ONE of the
  ## urls will be written to each interval.
  urls = ["https://127.0.0.1:9999"]

  [...]

  ## Optional TLS Config for use on HTTP connections.
  [...]
  ## Use TLS but skip chain & host verification
  insecure_skip_verify = true
```

Restart Telegraf using the updated configuration file.
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00			`---`
TLS docs: Fix title and frontmatter 2019-10-22 21:56:22 +00:00			`title: Enable TLS encryption`
			`seotitle: Enable TLS/SSL encryption`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00			`description: >`
Edit TLS docs - Fix telegraf config - Edit description - Use headings for cert types - rm unnecessary graf - Various small edits 2019-10-21 22:54:30 +00:00			`Enable Transport Layer Security (TLS) and use the HTTPS protocol to secure communication between clients and InfluxDB.`
Edit TLS docs - Use imperative verbs in titles - Change security/tokens/_index.md weight - rename file - add ssl to tags 2019-10-21 22:51:09 +00:00			`weight: 101`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00			`menu:`
			`v2_0:`
			`parent: Security & authorization`
Edit TLS docs - Use imperative verbs in titles - Change security/tokens/_index.md weight - rename file - add ssl to tags 2019-10-21 22:51:09 +00:00			`v2.0/tags: [security, authentication, tls, https, ssl]`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00			`---`

			`Enabling HTTPS encrypts the communication between clients and the InfluxDB server.`
			`When configured with a signed certificate, HTTPS can also verify the authenticity of the InfluxDB server to connecting clients.`

Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`This pages outlines how to set up TLS over HTTPS with InfluxDB using either a signed or self-signed certificate.`

Use warning block in TLS recommendation Other minor edits 2019-10-21 17:17:39 +00:00			`{{% warn %}}`
Fix link on TLS page ...by removing the link 2019-11-04 17:24:29 +00:00			`InfluxData strongly recommends enabling HTTPS, especially if you plan on sending requests to InfluxDB over a network.`
Use warning block in TLS recommendation Other minor edits 2019-10-21 17:17:39 +00:00			`{{% /warn %}}`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
			`## Requirements`

Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`To enable HTTPS with InfluxDB, you need a Transport Layer Security (TLS) certificate, also known as a Secured Sockets Layer (SSL) certificate.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00			`InfluxDB supports three types of TLS certificates:`

Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`* Single domain certificates signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority)`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`Single domain certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server.`
			`These certificates are signed and issued by a trusted, third-party Certificate Authority (CA).`
			`With this certificate option, every InfluxDB instance requires a unique single domain certificate.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`* Wildcard certificates signed by a Certificate Authority`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`Wildcard certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server.`
			`Wildcard certificates can be used across multiple InfluxDB instances on different servers.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`* Self-signed certificates`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Edit TLS docs introduction 2020-01-17 19:48:18 +00:00			`Self-signed certificates are _not_ signed by a trusted, third-party CA.`
			`Unlike CA-signed certificates, self-signed certificates only provide cryptographic security to HTTPS requests.`
			`They do not allow clients to verify the identity of the InfluxDB server.`
			`With this certificate option, every InfluxDB instance requires a unique self-signed certificate.`
			`You can generate a self-signed certificate on your own machine.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Begin updating TLS instructions for v2 - Document using command line flags to enable TLD - Reflect change in supporting only .crt+.key pair 2019-10-18 16:59:43 +00:00			<!-- InfluxDB supports certificates composed of a private key file (`.key`) and a signed certificate file (`.crt`) file pair, -->
			<!-- as well as certificates that combine the private key file and the signed certificate file into a single bundled file (`.pem`). -->
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Start refactoring TLS docs 2020-01-17 19:49:04 +00:00			`## Setup InfluxDB to use HTTPS`

			`1. Download or generate certificate files`
			`2. Set certificate file permissions`
			3. Run `influxd` with TLS flags
			`4. Verify TLS connection`

Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`## Enable HTTPS with a CA-signed certificate`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			`1. Install the certificate`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Begin updating TLS instructions for v2 - Document using command line flags to enable TLD - Reflect change in supporting only .crt+.key pair 2019-10-18 16:59:43 +00:00			Place the private key file (`.key`) and the signed certificate file (`.crt`) in the `/etc/ssl/` directory.
Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`(Other paths will also work.)`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			`2. Set certificate file permissions`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Edit TLS docs - Fix telegraf config - Edit description - Use headings for cert types - rm unnecessary graf - Various small edits 2019-10-21 22:54:30 +00:00			`The user running InfluxDB must have read permissions on the TLS certificate.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Edit HTTPS docs - Reformat notes - Change title 2019-10-17 20:58:47 +00:00			`{{% note %}}You may opt to set up multiple users, groups, and permissions.`
			`Ultimately, make sure all users running InfluxDB have read permissions for the TLS certificate.`
			`{{% /note %}}`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			`Run the following command to give InfluxDB read and write permissions on the certificate files.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			```bash
			`sudo chmod 644 /etc/ssl/<CA-certificate-file>`
			`sudo chmod 600 /etc/ssl/<private-key-file>`
			```
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Begin updating TLS instructions for v2 - Document using command line flags to enable TLD - Reflect change in supporting only .crt+.key pair 2019-10-18 16:59:43 +00:00			3. Run `influxd` with TLS flags
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Continue updating HTTPS instructions 2019-10-18 20:28:03 +00:00			`Start InfluxDB with TLS command line flags:`

			```bash
Use multi-line bash command examples in TLS doc 2019-10-18 21:26:59 +00:00			`influxd \`
Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`--tls-cert "/etc/ssl/influxdb-selfsigned.crt" \`
Use multi-line bash command examples in TLS doc 2019-10-18 21:26:59 +00:00			`--tls-key "/etc/ssl/influxdb-selfsigned.key"`
Continue updating HTTPS instructions 2019-10-18 20:28:03 +00:00			```
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`4. Verify TLS connection`
Add instructions to verify TLS 2019-10-22 16:18:50 +00:00
			`Ensure you can connect over HTTPS by running`

			```
			`curl -v https://influxdb:9999/api/v2/ping`
			```

Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`With this command, you should see output confirming a succussful TLS handshake.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`## Enable HTTPS with a self-signed certificate`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Begin updating TLS instructions for v2 - Document using command line flags to enable TLD - Reflect change in supporting only .crt+.key pair 2019-10-18 16:59:43 +00:00			`1. Generate a self-signed certificate`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Add note on openssl 2019-10-22 16:22:06 +00:00			Use the `openssl` utility (preinstalled on many OSes) to create a certificate.
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			The following command generates a private key file (`.key`) and a self-signed
			certificate file (`.crt`) which remain valid for the specified `NUMBER_OF_DAYS`.
Begin updating TLS instructions for v2 - Document using command line flags to enable TLD - Reflect change in supporting only .crt+.key pair 2019-10-18 16:59:43 +00:00			It outputs those files to `/etc/ssl/` and gives them the required permissions.
Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`(Other paths will also work.)`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			```bash
Use multi-line bash command examples in TLS doc 2019-10-18 21:26:59 +00:00			`sudo openssl req -x509 -nodes -newkey rsa:2048 \`
			`-keyout /etc/ssl/influxdb-selfsigned.key \`
			`-out /etc/ssl/influxdb-selfsigned.crt \`
			`-days <NUMBER_OF_DAYS>`
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			```
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			`When you execute the command, it will prompt you for more information.`
Begin updating TLS instructions for v2 - Document using command line flags to enable TLD - Reflect change in supporting only .crt+.key pair 2019-10-18 16:59:43 +00:00			`You can choose to fill out that information or leave it blank; both actions generate valid certificate files.`
Continue updating HTTPS instructions 2019-10-18 20:28:03 +00:00
Begin updating TLS instructions for v2 - Document using command line flags to enable TLD - Reflect change in supporting only .crt+.key pair 2019-10-18 16:59:43 +00:00			2. Run `influxd` with TLS flags
Continue updating HTTPS instructions 2019-10-18 20:28:03 +00:00
Remove outdated TLS verification instructions 2019-10-18 21:37:28 +00:00			`Start InfluxDB with TLS command line flags:`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			```bash
Remove outdated TLS verification instructions 2019-10-18 21:37:28 +00:00			`influxd \`
			`--tls-cert "/etc/ssl/influxdb-selfsigned.crt" \`
			`--tls-key "/etc/ssl/influxdb-selfsigned.key"`
Reformat TLS instructions as ordered list 2019-10-17 20:42:47 +00:00			```
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`3. Verify TLS connection`
Add instructions to verify TLS 2019-10-22 16:18:50 +00:00
			`Ensure you can connect over HTTPS by running`

			```
			`curl -vk https://influxdb:9999/api/v2/ping`
			```

Further edits to TLS docs - Change section titles - Edit language about certificates - Add more information on certificates - Fix command line example - Additional info on verifying TLS 2019-10-22 17:59:09 +00:00			`With this command, you should see output confirming a succussful TLS handshake.`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
			`## Connect Telegraf to a secured InfluxDB instance`

Update telegraf config for TLS docs 2019-10-22 17:40:28 +00:00			`To connect [Telegraf](/telegraf/latest/) to an InfluxDB 2.0 instance with TLS enabled,`
			update the following `influxdb_v2` output settings in your Telegraf configuration file:
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
Update telegraf config for TLS docs 2019-10-22 17:40:28 +00:00			`- Update urls to use https instead of http.`
			- If using a self-signed certificate, uncomment and set `insecure_skip_verify` to true.

			`### Example configuration`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00
			```toml
Edit TLS docs - Fix telegraf config - Edit description - Use headings for cert types - rm unnecessary graf - Various small edits 2019-10-21 22:54:30 +00:00			`###############################################################################`
			`# OUTPUT PLUGINS #`
			`###############################################################################`

			`# Configuration for sending metrics to InfluxDB`
			`[[outputs.influxdb_v2]]`
			`## The URLs of the InfluxDB cluster nodes.`
			`##`
			`## Multiple URLs can be specified for a single cluster, only ONE of the`
			`## urls will be written to each interval.`
Update telegraf config for TLS docs 2019-10-22 17:40:28 +00:00			`urls = ["https://127.0.0.1:9999"]`
Edit TLS docs - Fix telegraf config - Edit description - Use headings for cert types - rm unnecessary graf - Various small edits 2019-10-21 22:54:30 +00:00
			`[...]`

			`## Optional TLS Config for use on HTTP connections.`
			`[...]`
			`## Use TLS but skip chain & host verification`
			`insecure_skip_verify = true`
Begin porting TLS material from v1 2019-10-17 20:36:51 +00:00			```

Edit TLS docs - Fix telegraf config - Edit description - Use headings for cert types - rm unnecessary graf - Various small edits 2019-10-21 22:54:30 +00:00			`Restart Telegraf using the updated configuration file.`