From 3f0f9d7effbeaa83d6246231b606d56be2fb1f50 Mon Sep 17 00:00:00 2001 From: pierwill Date: Fri, 17 Jan 2020 11:48:18 -0800 Subject: [PATCH 1/7] Edit TLS docs introduction --- content/v2.0/security/enable-tls.md | 30 +++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/content/v2.0/security/enable-tls.md b/content/v2.0/security/enable-tls.md index 3afcd40f7..2e313a532 100644 --- a/content/v2.0/security/enable-tls.md +++ b/content/v2.0/security/enable-tls.md @@ -13,33 +13,35 @@ v2.0/tags: [security, authentication, tls, https, ssl] Enabling HTTPS encrypts the communication between clients and the InfluxDB server. When configured with a signed certificate, HTTPS can also verify the authenticity of the InfluxDB server to connecting clients. +This pages outlines how to set up TLS over HTTPS with InfluxDB using either a signed or self-signed certificate. + {{% warn %}} InfluxData **strongly recommends** enabling HTTPS, especially if you plan on sending requests to InfluxDB over a network. {{% /warn %}} ## Requirements -To enable HTTPS with InfluxDB, you need a Transport Layer Security (TLS) certificate (also known as a Secured Sockets Layer (SSL) certificate). +To enable HTTPS with InfluxDB, you need a Transport Layer Security (TLS) certificate, also known as a Secured Sockets Layer (SSL) certificate. InfluxDB supports three types of TLS certificates: -### Single domain certificates signed by a Certificate Authority +* **Single domain certificates signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority)** -Single domain certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. -These certificates are signed and issued by a trusted, third-party Certificate Authority (CA). -With this certificate option, every InfluxDB instance requires a unique single domain certificate. + Single domain certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. + These certificates are signed and issued by a trusted, third-party Certificate Authority (CA). + With this certificate option, every InfluxDB instance requires a unique single domain certificate. -### Wildcard certificates signed by a Certificate Authority +* **Wildcard certificates signed by a Certificate Authority** -Wildcard certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. -Wildcard certificates can be used across multiple InfluxDB instances on different servers. + Wildcard certificates provide cryptographic security to HTTPS requests and allow clients to verify the identity of the InfluxDB server. + Wildcard certificates can be used across multiple InfluxDB instances on different servers. -### Self-signed certificates +* **Self-signed certificates** -Self-signed certificates are _not_ signed by a trusted, third-party CA. -Unlike CA-signed certificates, self-signed certificates only provide cryptographic security to HTTPS requests. -They do not allow clients to verify the identity of the InfluxDB server. -With this certificate option, every InfluxDB instance requires a unique self-signed certificate. -You can generate a self-signed certificate on your own machine. + Self-signed certificates are _not_ signed by a trusted, third-party CA. + Unlike CA-signed certificates, self-signed certificates only provide cryptographic security to HTTPS requests. + They do not allow clients to verify the identity of the InfluxDB server. + With this certificate option, every InfluxDB instance requires a unique self-signed certificate. + You can generate a self-signed certificate on your own machine. From c2fc2b587093b50136163982554a34a97390b395 Mon Sep 17 00:00:00 2001 From: pierwill Date: Fri, 17 Jan 2020 11:49:04 -0800 Subject: [PATCH 2/7] Start refactoring TLS docs --- content/v2.0/security/enable-tls.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/content/v2.0/security/enable-tls.md b/content/v2.0/security/enable-tls.md index 2e313a532..e56149de3 100644 --- a/content/v2.0/security/enable-tls.md +++ b/content/v2.0/security/enable-tls.md @@ -46,6 +46,13 @@ InfluxDB supports three types of TLS certificates: +## Setup InfluxDB to use HTTPS + +1. **Download or generate certificate files** +2. **Set certificate file permissions** +3. **Run `influxd` with TLS flags** +4. **Verify TLS connection** + ## Enable HTTPS with a CA-signed certificate 1. **Install the certificate** From 49a5c06e4200af2d8b41f6ff33a17f56d34d8e14 Mon Sep 17 00:00:00 2001 From: pierwill Date: Fri, 17 Jan 2020 11:50:36 -0800 Subject: [PATCH 3/7] Edit TLS certificate docs --- content/v2.0/security/enable-tls.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/content/v2.0/security/enable-tls.md b/content/v2.0/security/enable-tls.md index e56149de3..998fc2482 100644 --- a/content/v2.0/security/enable-tls.md +++ b/content/v2.0/security/enable-tls.md @@ -49,6 +49,25 @@ InfluxDB supports three types of TLS certificates: ## Setup InfluxDB to use HTTPS 1. **Download or generate certificate files** + + If using a certificate provided by a CA, follow their instructions to download the certificate files. + + If using a self-signed certificate, use the `openssl` utility to create a certificate. + The following command generates a private key file (`.key`) and a self-signed + certificate file (`.crt`) which remain valid for the specified `NUMBER_OF_DAYS`. + It outputs those files to `/etc/ssl/` and gives them the required permissions. + (Other paths will also work.) + + ```sh + sudo openssl req -x509 -nodes -newkey rsa:2048 \ + -keyout /etc/ssl/influxdb-selfsigned.key \ + -out /etc/ssl/influxdb-selfsigned.crt \ + -days + ``` + + The command will prompt you for more information. + You can choose to fill out these fields or leave them blank; both actions generate valid certificate files. + 2. **Set certificate file permissions** 3. **Run `influxd` with TLS flags** 4. **Verify TLS connection** From 436dd70bf42f06a8fe719a667f42448c1d681952 Mon Sep 17 00:00:00 2001 From: pierwill Date: Fri, 17 Jan 2020 11:53:35 -0800 Subject: [PATCH 4/7] Add remaining TLS instructions --- content/v2.0/security/enable-tls.md | 38 +++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/content/v2.0/security/enable-tls.md b/content/v2.0/security/enable-tls.md index 998fc2482..dc4c1af63 100644 --- a/content/v2.0/security/enable-tls.md +++ b/content/v2.0/security/enable-tls.md @@ -69,9 +69,47 @@ InfluxDB supports three types of TLS certificates: You can choose to fill out these fields or leave them blank; both actions generate valid certificate files. 2. **Set certificate file permissions** + + The user running InfluxDB must have read permissions on the TLS certificate. + + {{% note %}}You may opt to set up multiple users, groups, and permissions. + Ultimately, make sure all users running InfluxDB have read permissions for the TLS certificate. + {{% /note %}} + + Run the following command to give InfluxDB read and write permissions on the certificate files. + + ```bash + sudo chmod 644 /etc/ssl/ + sudo chmod 600 /etc/ssl/ + ``` + 3. **Run `influxd` with TLS flags** + + Start InfluxDB with TLS command line flags: + + ```bash + influxd \ + --tls-cert "" \ + --tls-key "" + ``` + 4. **Verify TLS connection** + + Ensure you can connect over HTTPS by running + + ``` + curl -v https://influxdb:9999/api/v2/ping + ``` + + If using a self-signed certificate, use the `-k` flag to skip certificate verification: + + ``` + curl -vk https://influxdb:9999/api/v2/ping + ``` + + With this command, you should see output confirming a succussful TLS handshake. + ## Enable HTTPS with a CA-signed certificate 1. **Install the certificate** From d2083fa1d0ab5f17388acca49625c1a6918efbfc Mon Sep 17 00:00:00 2001 From: pierwill Date: Fri, 17 Jan 2020 11:54:20 -0800 Subject: [PATCH 5/7] Remove old TLS instructions --- content/v2.0/security/enable-tls.md | 84 +---------------------------- 1 file changed, 1 insertion(+), 83 deletions(-) diff --git a/content/v2.0/security/enable-tls.md b/content/v2.0/security/enable-tls.md index dc4c1af63..96cc57e09 100644 --- a/content/v2.0/security/enable-tls.md +++ b/content/v2.0/security/enable-tls.md @@ -46,7 +46,7 @@ InfluxDB supports three types of TLS certificates: -## Setup InfluxDB to use HTTPS +## Setup InfluxDB to use TLS over HTTPS 1. **Download or generate certificate files** @@ -110,88 +110,6 @@ InfluxDB supports three types of TLS certificates: With this command, you should see output confirming a succussful TLS handshake. -## Enable HTTPS with a CA-signed certificate - -1. **Install the certificate** - - Place the private key file (`.key`) and the signed certificate file (`.crt`) in the `/etc/ssl/` directory. - (Other paths will also work.) - -2. **Set certificate file permissions** - - The user running InfluxDB must have read permissions on the TLS certificate. - - {{% note %}}You may opt to set up multiple users, groups, and permissions. - Ultimately, make sure all users running InfluxDB have read permissions for the TLS certificate. - {{% /note %}} - - Run the following command to give InfluxDB read and write permissions on the certificate files. - - ```bash - sudo chmod 644 /etc/ssl/ - sudo chmod 600 /etc/ssl/ - ``` - -3. **Run `influxd` with TLS flags** - - Start InfluxDB with TLS command line flags: - - ```bash - influxd \ - --tls-cert "/etc/ssl/influxdb-selfsigned.crt" \ - --tls-key "/etc/ssl/influxdb-selfsigned.key" - ``` - -4. **Verify TLS connection** - - Ensure you can connect over HTTPS by running - - ``` - curl -v https://influxdb:9999/api/v2/ping - ``` - - With this command, you should see output confirming a succussful TLS handshake. - -## Enable HTTPS with a self-signed certificate - -1. **Generate a self-signed certificate** - - Use the `openssl` utility (preinstalled on many OSes) to create a certificate. - The following command generates a private key file (`.key`) and a self-signed - certificate file (`.crt`) which remain valid for the specified `NUMBER_OF_DAYS`. - It outputs those files to `/etc/ssl/` and gives them the required permissions. - (Other paths will also work.) - - ```bash - sudo openssl req -x509 -nodes -newkey rsa:2048 \ - -keyout /etc/ssl/influxdb-selfsigned.key \ - -out /etc/ssl/influxdb-selfsigned.crt \ - -days - ``` - - When you execute the command, it will prompt you for more information. - You can choose to fill out that information or leave it blank; both actions generate valid certificate files. - -2. **Run `influxd` with TLS flags** - - Start InfluxDB with TLS command line flags: - - ```bash - influxd \ - --tls-cert "/etc/ssl/influxdb-selfsigned.crt" \ - --tls-key "/etc/ssl/influxdb-selfsigned.key" - ``` - -3. **Verify TLS connection** - - Ensure you can connect over HTTPS by running - - ``` - curl -vk https://influxdb:9999/api/v2/ping - ``` - - With this command, you should see output confirming a succussful TLS handshake. - ## Connect Telegraf to a secured InfluxDB instance To connect [Telegraf](/telegraf/latest/) to an InfluxDB 2.0 instance with TLS enabled, From b5fabad1554a53b04e387056c61ae341f04a1b5b Mon Sep 17 00:00:00 2001 From: pierwill Date: Tue, 21 Jan 2020 11:08:42 -0800 Subject: [PATCH 6/7] Edit TLS docs w/ PR feedback --- content/v2.0/security/enable-tls.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/content/v2.0/security/enable-tls.md b/content/v2.0/security/enable-tls.md index 96cc57e09..38bb83f55 100644 --- a/content/v2.0/security/enable-tls.md +++ b/content/v2.0/security/enable-tls.md @@ -10,10 +10,13 @@ menu: v2.0/tags: [security, authentication, tls, https, ssl] --- -Enabling HTTPS encrypts the communication between clients and the InfluxDB server. -When configured with a signed certificate, HTTPS can also verify the authenticity of the InfluxDB server to connecting clients. +Enabling TLS encrypts the communication between clients and the InfluxDB server. +When configured with a signed certificate, TLS also allows clients to verify the authenticity of the InfluxDB server. -This pages outlines how to set up TLS over HTTPS with InfluxDB using either a signed or self-signed certificate. +To set up TLS over HTTPS, do the following: + +- [Obtain requirements](#requirements) +- [Configure InfluxDB to use TLS](#configure-influxdb-to-use-tls) {{% warn %}} InfluxData **strongly recommends** enabling HTTPS, especially if you plan on sending requests to InfluxDB over a network. @@ -46,7 +49,7 @@ InfluxDB supports three types of TLS certificates: -## Setup InfluxDB to use TLS over HTTPS +## Configure InfluxDB to use TLS 1. **Download or generate certificate files** From cd1c204522aa8b9689649c22a4d9381ffee896ca Mon Sep 17 00:00:00 2001 From: pierwill Date: Tue, 21 Jan 2020 11:28:35 -0800 Subject: [PATCH 7/7] Edit TLS certificate generation instructions --- content/v2.0/security/enable-tls.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/v2.0/security/enable-tls.md b/content/v2.0/security/enable-tls.md index 38bb83f55..766d9ea74 100644 --- a/content/v2.0/security/enable-tls.md +++ b/content/v2.0/security/enable-tls.md @@ -56,10 +56,11 @@ InfluxDB supports three types of TLS certificates: If using a certificate provided by a CA, follow their instructions to download the certificate files. If using a self-signed certificate, use the `openssl` utility to create a certificate. - The following command generates a private key file (`.key`) and a self-signed - certificate file (`.crt`) which remain valid for the specified `NUMBER_OF_DAYS`. - It outputs those files to `/etc/ssl/` and gives them the required permissions. + + The following command generates a private key file (.key) and a self-signed certificate file (.crt) with required permissions + and saves them to `/etc/ssl/`. (Other paths will also work.) + Files remain valid for the specified `NUMBER_OF_DAYS`. ```sh sudo openssl req -x509 -nodes -newkey rsa:2048 \