Transport Layer Security (TLS) encryption is available on all supported network interfaces and protocols:
It's possible to configure encryption on all interfaces at once or individually.
QuestDB supports TLS v1.2 and v1.3.
To enable TLS on all interfaces, set the following configuration configuration options:
.pem file should contain a DER-encoded server certificate. The file must include the full certificate
chain, which consists of the server's own certificate followed by any intermediate certificates necessary to establish a
trust path to a trusted root certificate.
The private key file must contain the key in one of the following formats:
- A DER-encoded plaintext RSA private key; as specified in PKCS#1/RFC3447
- A DER-encoded plaintext private key; as specified in PKCS#8/RFC5958
- A SEC1-encoded plaintext private key; as specified in RFC5915
If you need to create a quick
.pem file for testing, see the
To enable TLS for InfluxDB Line Protocol, apply the following configuration:
To enable TLS for PGWire protocol, apply the following configuration:
To enable TLS for the REST API, apply the following configuration:
To enable TLS for the minimal HTTP server, apply the following configuration:
In case if you want to rotate the certificate and the private key periodically,
QuestDB supports hot reload for the TLS files. To do that, first you need to
replace the certificate and key files on disk with the new ones. Next, you need
to call the
reload_tls() SQL function like the following:
The function returns
true if the reload is successful; otherwise, it returns
false. In case of unsuccessful reload, you should check error messages in the
server logs for more details.
When Role-based Access Control (RBAC) is enabled, the
function is only available to the admin user, i.e. to the built-in user account
configured with the
Remember to use securely crafted certificates for production cases.
There are many ways that a valid
.pem certificate can be created.
For a quick .pem certificate to use for testing, conduct the following steps.
- Create a
- Combine the
.keyfiles into a new
Finally, you can configure QuestDB server to use the newly generated certificate and key, e.g. with the following configuration: