influx query ignores --skip-verify flag

[martaferg]

Steps to reproduce:
List the minimal actions needed to reproduce the behavior.

Setup auth for influxdb with SSL (self-signed certs) -- see config below
Create setup
Start influxdb as influxd --tls-cert=/etc/ssl/host.crt --tls-key=/etc/ssl/host.key

Try to manage the db using flux (see below)

Expected behavior:
InfluxDB is started and uses TLS.
Influx CLI can connect to the database using TLS.

Actual behavior:

InfluxDB is started correctly using the certificate and key provided. The UI can be accessed in https://host:8086, telegraf sends data using TLS. Only problem: can't connect to it using the CLI. I recall the flag --UnsafeSsl in previous versions, the issue is related to that I think. Is there support for it in version 2.0? Below you can find the terminal output.

user@influxdb2:/etc/ssl$ influxd --tls-cert=/etc/ssl/host.crt --tls-key=/etc/ssl/host.key
2020-10-20T12:27:59.920525Z     info    Welcome to InfluxDB
## ......starts as usual.....
2020-10-20T12:28:00.551404Z     info    Listening       {"log_id": "0PyVXdC0000", "transport": "https", "addr": ":8086", "port": 8086}

azureuser@influxdb2:/etc/ssl$ 2020-10-20T12:29:03.509726Z       info    http: TLS handshake error from IP:17170: remote error: tls: unknown certificate

azureuser@influxdb2:/etc/ssl$ influx user list
2020-10-20T12:30:24.504517Z     info    http: TLS handshake error from IP:39394: remote error: tls: bad certificate
Error: Get "https://host:8086/api/v2/users": x509: certificate signed by unknown authority.
Error: Get "https://host:8086/api/v2/setup": x509: certificate signed by unknown authority.

Environment info:

System info: Linux (ubuntu 18.04)
InfluxDB version: InfluxDB 2.0.0-rc.1 installed through apt-get
Influx CLI 2.0.0-rc.1

Config:
San.cnf

[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = N/A
localityName = N/A
organizationName = Self-signed certificate
commonName = host
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = host

Certificate generation

azureuser@influxdb2:/etc/ssl$ sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/host.key -out /etc/ssl/host.crt -days 365 -config san.cnf
Generating a RSA private key
.....................................................................+++++
................................................+++++
writing new private key to '/etc/ssl/host.key'
-----

P.S.: The motivation for the san.cmf file is the error shown below.

azureuser@influxdb2:/etc/ssl$ influx user list
2020-10-20T10:49:32.164394Z     info    http: TLS handshake error from IP:58100: remote error: tls: bad certificate
2020-10-20T10:49:32.327796Z     info    http: TLS handshake error from IP:58102: remote error: tls: bad certificate
Error: Get "host:8086/api/v2/users": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0.
Error: Get "host:8086/api/v2/setup": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0.

[stuartcarnie]

@martaferg could you add the --skip-verify option to your influx command:

azureuser@influxdb2:/etc/ssl$ influx user list --skip-verify

[clever-trevor]

I too have this issue (or similar).

All the the influx CLI commands I've tried work, apart from "influx query".

I have a self-signed certificate. I've tried using local IP and loopback but same results.

influx user list Doesn't work

sh-4.4# ./influx user list
Error: Get "https://10.128.0.5:8086/api/v2/users": x509: cannot validate certificate for 10.128.0.5 because it doesn't contain any IP SANs.
Error: Get "https://10.128.0.5:8086/api/v2/setup": x509: cannot validate certificate for 10.128.0.5 because it doesn't contain any IP SANs.
See 'influx user list -h' for help

influx user list --skip-verify Does work

sh-4.4# ./influx user list  --skip-verify
ID                      Name
06f5747847820000        xxx
06f68d4163603000        guest

influx query --skip-verify Doesn't work

sh-4.4# ./influx query 'schema.measurements(bucket:"telegraf")' --skip-verify
Error: Post "https://10.128.0.5:8086/api/v2/query?org=xxx": x509: cannot validate certificate for 10.128.0.5 because it doesn't contain any IP SANs.
See 'influx query -h' for help

Running InfluxDB 2.0.3 on Centos8

Influx CLI 2.0.3 (git: fe04d346df) build_date: 2020-12-15T01:00:16Z

[danxmoran]

Looks like the value of --skip-verify is ignored in the query implementation. Will try to get a fix into 2.0.4