[feature request] Add support for specifying trusted certificates

Question

[feature request] Add support for specifying trusted certificates

Opened this issue 8 years ago · 6 comments

It can be difficult to configure Relay to communicate with an InfluxDB server that is using a self-signed SSL certificate that is not trusted by the host system. It would be great if there was a configuration option for specifying a set of trusted certificates to use for communication.

Answer 1 · 2016-07-20T20:05:19.000Z

Why does this need to be specific to influxdb-relay? Can't a trusted certificate be added to the system as a whole?

Answer 2 · 2016-07-20T20:13:51.000Z

@nathanielc Sometimes you want service-specific certificates that aren't trusted globally on the machine. Adding a new CA to the host machine would add an extra attack surface: If the CA used to sign the cert for the backends is compromised, it will only compromise the relay traffic, rather than potentially trusting that CA for any secure connection or authentication on the machine.

Answer 3 · 2016-07-20T20:15:14.000Z

@joelegasse Makes sense, thanks.

Answer 4 · 2016-07-20T20:17:54.000Z

@rossmcdonald Would adding this as a per-backend option ca-cert be sufficient?

Answer 5 · 2016-07-20T20:23:00.000Z

@joelegasse Absolutely, I think that makes perfect sense.

Answer 6 · 2017-04-17T13:05:51.000Z

Will this influx-relay would be helpful if I have only 1 influxdb server ?

It doesn't seem so that it works ,

luvpreet@DHARI-Inspiron-3542:/etc$ curl -i -XPOST 'http://localhost:9096/write?db=tester' --data-binary 'glass,host=server01,region=us-west value=0.64 1434055562000000000'

HTTP/1.1 503 Service Unavailable
Content-Length: 35
Content-Type: application/json
Date: Mon, 17 Apr 2017 12:48:33 GMT

{"error":"unable to write points"}