Skip to main content

Influx - Datenbank anlegen

0 | Vorbereitungen

apt-get update
apt-get install -y \
curl gnupg ca-certificates lsb-release coreutils

1 | InfluxDB-Repository & Paketinstallation

curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
echo "943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515  influxdata-archive.key" \
| sha256sum --check -

cat influxdata-archive.key | gpg --dearmor \
| tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg >/dev/null

echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
| tee /etc/apt/sources.list.d/influxdata.list

apt-get update
apt-get install -y influxdb2
systemctl enable --now influxdb

2 | Selbst-signiertes Zertifikat erzeugen (100 Jahre)

cat > /root/san.cnf <<'EOF'
[req]
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no
[req_distinguished_name]
C  = DE
ST = Berlin
L  = Berlin
O  = localhost
CN = influxdb.local
[v3_req]
keyUsage         = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName   = @alt_names
[alt_names]
DNS.1 = influxdb.local
IP.1  = 127.0.0.1
EOF

openssl req -new -newkey rsa:4096 -nodes \
  -keyout /etc/ssl/influxdb.key \
  -out    /etc/ssl/influxdb.csr \
  -config /root/san.cnf

openssl x509 -req -in  /etc/ssl/influxdb.csr \
  -signkey          /etc/ssl/influxdb.key \
  -out              /etc/ssl/influxdb.crt \
  -days 36500 -extensions v3_req -extfile /root/san.cnf

rm /etc/ssl/influxdb.csr /root/san.cnf
chown influxdb:influxdb /etc/ssl/influxdb.{crt,key}
chmod 644 /etc/ssl/influxdb.crt
chmod 600 /etc/ssl/influxdb.key

0 | Vorbereitungen

apt-get update
apt-get install -y \
  curl gnupg ca-certificates lsb-release coreutils

1 | InfluxDB-Repository & Paketinstallation

curl --silent --location -O https://repos.influxdata.com/influxdata-archive.key
echo "943666881a1b8d9b849b74caebf02d3465d6beb716510d86a39f6c8e8dac7515  influxdata-archive.key" \
| sha256sum --check -

cat influxdata-archive.key | gpg --dearmor \
| tee /etc/apt/trusted.gpg.d/influxdata-archive.gpg >/dev/null

echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive.gpg] https://repos.influxdata.com/debian stable main' \
| tee /etc/apt/sources.list.d/influxdata.list

apt-get update
apt-get install -y influxdb2
systemctl enable --now influxdb

2 | Selbst-signiertes Zertifikat erzeugen (100 Jahre)

cat > /root/san.cnf <<'EOF'
[req]
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no
[req_distinguished_name]
C  = DE
ST = Berlin
L  = Berlin
O  = localhost
CN = influxdb.local
[v3_req]
keyUsage         = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName   = @alt_names
[alt_names]
DNS.1 = influxdb.local
IP.1  = 127.0.0.1
EOF

openssl req -new -newkey rsa:4096 -nodes \
  -keyout /etc/ssl/influxdb.key \
  -out    /etc/ssl/influxdb.csr \
  -config /root/san.cnf

openssl x509 -req -in  /etc/ssl/influxdb.csr \
  -signkey          /etc/ssl/influxdb.key \
  -out              /etc/ssl/influxdb.crt \
  -days 36500 -extensions v3_req -extfile /root/san.cnf

rm /etc/ssl/influxdb.csr /root/san.cnf
chown influxdb:influxdb /etc/ssl/influxdb.{crt,key}
chmod 644 /etc/ssl/influxdb.crt
chmod 600 /etc/ssl/influxdb.key

3 | InfluxDB auf HTTPS umstellen (via config.toml)

# (1) Default-Konfig anlegen, falls noch nicht vorhanden
test -f /etc/influxdb/config.toml || influxd print-config > /etc/influxdb/config.toml

# (2) HTTP-Port sicherstellen & alte TLS-Zeilen entfernen
sed -i \
  -e 's|^[# ]*http-bind-address .*|http-bind-address = ":8086"|' \
  -e '/^[# ]*tls-cert /d' \
  -e '/^[# ]*tls-key  /d' \
  /etc/influxdb/config.toml

# (3) TLS-Pfad-Direktiven anhängen
cat >> /etc/influxdb/config.toml <<'EOT'
tls-cert = "/etc/ssl/influxdb.crt"
tls-key  = "/etc/ssl/influxdb.key"
EOT

# (4) Eventuelle alte Systemd-Drop-Ins entfernen
rm -f /etc/systemd/system/influxdb.service.d/https.conf
rm -f /etc/default/influxdb2              # nicht mehr benötigt

# (5) Dienst neu laden & neustarten
systemctl daemon-reload
systemctl restart influxdb
systemctl status influxdb --no-pager

4 | Funktionstest

curl --insecure https://localhost:8086/api/v2/ping
# Erwartung: HTTP/1.1 204 No Content  (TLS-Handshake erfolgreich)

Hinweise

  • Selbst-signierte Zertifikate erzeugen Browser-Warnungen – für interne Netze meist unkritisch.
  • Für öffentliche Zugriffe besser Let’s Encrypt verwenden.
  • Bei InfluxDB 3 (Docker/Binaries) lassen sich TLS-Pfade direkt per Parameter setzen.
Back to top