Background Information — Aquila Dynamics Labs (ADLs)
Telemetry TLS outage
From: Marco Petrovic mpetrovic@adls.example.com
To: Expert expert@adls.example.com; Yuki Tanaka ytanaka@adls.example.com; PKI Team pki-team@adls.example.com
CC: Miguel Duarte mduarte@adls.example.com; Claudia Weiss cweiss@adls.example.com
Subject: [INC-24531] Telegraf → Influx TLS failing after cert rotation
Hi Expert,
After we rotated certs for ops.* last night, Telegraf can’t push to Influx. Grafana loads, but Telegraf logs show:
outputs.http: post https://10.77.12.40:8086/api/v2/write: tls: failed to verify certificate:
x509: cannot validate certificate for 10.77.12.40 because it doesn't contain any IP SANs
openssl s_client -connect 10.77.12.40:8086 -servername influx.ops.adls.example.com shows CN=*.ops.adls.example.com, but Verify return code: 21 (unable to verify the first certificate). Our telegraf.conf has:
urls = ["https://10.77.12.40:8086"]
tls_ca = "/etc/ssl/certs/adls-root.pem"
insecure_skip_verify = false
We installed a single server cert (no bundle). Any guidance that fixes this without disabling verification?
— Marco
Which corrective actions will restore secure connectivity and meet compliance?
A. Enable insecure_skip_verify = true on Telegraf outputs to bypass hostname/chain checks.
B. Replace the internal CA with a public CA so IP-based SANs are unnecessary.
C. Reissue/install the server certificate properly: include SANs (e.g., influx.ops.adls.example.com or wildcard *.ops.adls.example.com) and deploy the full chain (server + intermediate) so verification succeeds.
D. Keep the same certificate and add the Influx IP address to SANs to match the URL; no other changes required.
E. Change Telegraf to connect via the FQDN and validate against the CA bundle (or set tls_server_name = "influx.ops.adls.example.com" if an IP must be used).
F. Turn on mutual TLS by adding a client cert/key in Telegraf; server config can remain as-is.
