1

Started working with TICK stack, I'm quite new to this. A dedicated machine is assigned for TICK to run and receive data. To begin with I have sent metrics from 3 instances to TICK stack using udp and everything is good. Now, I would like to send the Kafka information too, which is a secure(ssl-certified). Secure certificates came with files: ca-cert, ca-cert.srl, ca-key, cert-file, cert-signed, kafka.client.truststore.jks, kafka.server.keystore.jks, kafka.server.truststore.jks.

On the other end, I'm trying to configure telegraf.conf file with TSL config parameters for

tls_ca = "ca-cert"
tls_cert = "cert-signed" 
tls_key = "ca-key"

On starting telegraf the error shown is:

2019-01-18T11:51:48Z E! [agent] Failed to connect to output kafka, retrying in 15s, error was 'could not load keypair cert-signed:ca-key: tls: failed to parse private key'

2019-01-18T11:52:03Z E! [telegraf] Error running agent: could not load keypair cert-signed:ca-key: tls: failed to parse private key

Not sure what's going on. Help me debug or pick right files. I understand that kafka.client.truststore.jks is used while any of the client try to access kafka.

But how is that used here, being telegraf is a client trying to publish?

Community
  • 1
  • 1
srikanth
  • 958
  • 16
  • 37
  • JKS files are for the Java keystore. Since Telegraf doesn't use the Java clients, probably not needed – OneCricketeer Jan 18 '19 at 20:16
  • @cricket_007 not required is not valid i believe. While the Kafka instance is secure, producer/consumer would not allow the client to communicate with the server with out the encryption/decryption policy. – srikanth Jan 20 '19 at 15:59
  • 1
    Telegraf uses Sarama client. https://github.com/influxdata/telegraf/blob/master/plugins/outputs/kafka/kafka.go#L15 And I don't see JKS being used or configured here https://medium.com/processone/using-tls-authentication-for-your-go-kafka-client-3c5841f2a625 – OneCricketeer Jan 21 '19 at 04:20
  • Your error says it failed to parse the keys, so you should show how you generated them. But it is possible, based on this config section https://github.com/influxdata/telegraf/blob/master/plugins/outputs/kafka/kafka.go#L151-L156 – OneCricketeer Jan 21 '19 at 04:23

1 Answers1

0

I had the same issue. It turned out it was just a simple file permission issue for me. I had to change certificate and key file owner:group to Telegraf and it started working

Damian
  • 1