influxdb icon indicating copy to clipboard operation
influxdb copied to clipboard

Published 20 hours ago verified publisher icon influxdata

Add option to specify CA for self-signed certificate

Open vzabawski opened this issue 2 years ago • 2 comments

This feature request is primarily related to InfluxDB Enterprise.

Proposal: Current setting allow encrypting traffic between InfluxDB nodes with self-signed certificates only with https-insecure-tls = true. It would be nice to add a parameter which allows specifying path to a CA file, so the node's certificate is validated with that CA.

Current behavior: According to the documentation, you need to set https-insecure-tls to true. With that parameter, self-signed certificates work.

Desired behavior: Introduce a parameter which allows specifying path to CA certificate. For example, https-ca.

[meta]
 [...]
https-enabled = true
https-certificate = "influxdb-meta.crt"
https-private-key = "influxdb-meta.key"
https-ca = "influxdb-ca.crt"
https-insecure-tls = false

This parameter needs to be introduced for InfluxDB data and meta nodes' config.

Alternatives considered: CA which issued self-signed certificates can be added to VM's CA bundle, but it's a bit inconvenient.

Use case: Encrypting internal traffic with self-signed certificates is a quite common practice, so allowing to encrypt the traffic in a more secure way would be a good security improvement.

vzabawski avatar Apr 08 '22 09:04 vzabawski

+1

I am maintaining my own CA and would like to validate chain of trust when connecting to InfluxDB, as well.

SuperCoolAlan avatar Oct 10 '23 18:10 SuperCoolAlan

#MeToo

rtoton avatar Jan 19 '24 10:01 rtoton