This is possible but it looks like the Kapacitor config has drifted a bit from the InfluxDB config. To specify the server private key for Kapacitor simply append the key to the end of the cert file. This way the cert file has both the ca cert and the server key. This is the way InfluxDB used to work, I'll create an issue to update Kapacitor to have the same config, but for now the concatenation workaround should get you going.
Also note that since the cert is self signed you will need to configure Kapacitor's InfluxDB client with the same cert. That config looks something like this, in the kapacitor.conf file: [[influxdb]] ... ssl-cert = "/etc/influxdb/internal.cert" ssl-ca = "/etc/influxdb/internal.ca" ... On Thursday, November 10, 2016 at 3:16:21 PM UTC-7, jadolf...@gmail.com wrote: > > Hi, I'm thinking about add a SSL layer to InfluxDB, Telegraf and Kapacitor. > > Between InfluxDB and Telegraf, I don't have any issue but between InfluxDB > and Kapacitor I have. > > These are the logs of both apps. > > kapacitor: > > log messages must have 'L!' prefix where L is one of 'D', 'I', 'W', > 'E'[log] 2016/11/10 21:21:20 http: TLS handshake error from > 127.0.0.1:22865: remote error: bad certificate > > influxdb: > > Post > https://localhost:9092/write?consistency=&db=telegraf&precision=ns&rp=default: > > x509: certificate signed by unknown authority > > But if I run "kapacitor -skipVerify -url https://localhost:9092 list > tasks", I will return what I expect, a list of my tasks. > > The configuration of influxdb is: > > [http] > enabled = true > bind-address = ":8086" > auth-enabled = false > log-enabled = true > write-tracing = false > pprof-enabled = false > https-enabled = true > https-certificate = "/etc/influxdb/internal.cert" > ### Use a separate private key location. > https-private-key = "/etc/influxdb/internal.key" > max-row-limit = 10000 > realm = "InfluxDB" > > And Kapacitor: > > [http] > # HTTP API Server for Kapacitor > # This server is always on, > # it servers both as a write endpoint > # and as the API endpoint for all other > # Kapacitor calls. > bind-address = ":9092" > auth-enabled = false > log-enabled = true > write-tracing = false > pprof-enabled = false > https-enabled = true > https-certificate = "/etc/influxdb/internal.kapacitor.pem" > > Kapacitor uses the same certificate which is used by influxdb, but this > file is a concatenation of the private key and de certiticate. > > In the Telegraf's configuration, I'm using the " ssl_ca = > "/etc/telegraf/cacert.pem" option. As you can see, telegraf only need the > CA certificate to work correctly, but Kapacitor doesn't have this option. > > And Influxdb doesn't have the "insecure_skip_verify" option like telegraf > does. > > So how you can use your own certificates with Kapacitor and Influxdb ? > > I'm using Debian 8.6 kapacitor 1.0.2-1, influxdb 1.0.2-1 and telegraf > 1.0.1-1. > > Thanks. > > > -- Remember to include the version number! --- You received this message because you are subscribed to the Google Groups "InfluxData" group. To unsubscribe from this group and stop receiving emails from it, send an email to influxdb+unsubscr...@googlegroups.com. To post to this group, send email to influxdb@googlegroups.com. Visit this group at https://groups.google.com/group/influxdb. To view this discussion on the web visit https://groups.google.com/d/msgid/influxdb/3e42632e-7942-49c6-8901-b8ac78e1aa22%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
