Documentation

Telegraf Controller

Secure Telegraf Controller with TLS

Serve Telegraf Controller over HTTPS and configure your Telegraf agents to trust the certificate. Enabling HTTPS on the server is only half of the setup. Each agent must also trust the certificate authority (CA) that signed the certificate, otherwise agents fail to fetch their configuration or send heartbeats.

How TLS works in Telegraf Controller

When you enable HTTPS, Telegraf Controller presents a TLS certificate to every client that connects. Agents interact with two listeners, and both use the same certificate and key:

  • Web interface and API on port 8888 (default): agents fetch their configuration from this listener.
  • Heartbeat service on port 8000 (default): agents send heartbeats to this listener.

Before an agent trusts a connection, it verifies that the certificate was signed by a CA it already trusts. Agents (through Telegraf) ship with the same list of public CAs as a web browser. A certificate signed by a private or internal CA, or a self-signed certificate, is not in that list, so agents reject it with a certificate signed by unknown authority error until you add the CA to each agent’s trust store.

No client certificates are required

Telegraf Controller does not use mutual TLS (mTLS). Agents are not required to present a client certificate. You only need to make agents trust the certificate that Telegraf Controller presents.

Choose a certificate

The type of certificate you use determines how much agent-side configuration is required:

  • Publicly trusted CA (for example, Let’s Encrypt or a commercial CA): agents trust the certificate automatically with no extra configuration. This is often impractical for internal hostnames that a public CA cannot validate.
  • Internal or corporate CA: agents that already trust your organization’s root CA need no extra configuration. Agents that do not yet trust the root CA must add it to their trust store.
  • Self-signed certificate: no agent trusts it by default. You must distribute the certificate to every agent. This is convenient for testing and lab environments.

Whichever option you choose, the certificate must be valid for the hostname that agents use to reach Telegraf Controller (for example, telegraf-controller.example.com). Generating certificates is outside the scope of this page. Use your organization’s certificate process or a tool such as openssl, then continue with the steps below.

Enable HTTPS on the server

Provide both a certificate and a matching private key in PEM format to serve Telegraf Controller over HTTPS. Set both ssl-cert-path and ssl-key-path:

export SSL_CERT_PATH=/etc/telegraf-controller/ssl/cert.pem
export SSL_KEY_PATH=/etc/telegraf-controller/ssl/key.pem

./telegraf_controller

Set both values together. If you set only one, Telegraf Controller logs a warning and serves plain HTTP. If both are set but a file is missing or invalid, the heartbeat service fails to start.

For the full TLS reference, including the command flag equivalents, see TLS configuration options.

Point agents at HTTPS endpoints

After you enable HTTPS, make sure the URLs that Telegraf Controller gives to agents use the https:// scheme. Telegraf Controller builds agent commands and heartbeat blocks from the public endpoint URLs configured in settings:

  1. Go to Settings and open the Public Endpoints section.
  2. Set API URL and Heartbeat URL to absolute https:// URLs that match your certificate’s hostname (for example, https://telegraf-controller.example.com:8888 and https://telegraf-controller.example.com:8000).

For details, see Public endpoints.

Trust the certificate on each agent

Add the CA certificate to the system trust store on each agent host. The system trust store covers both the configuration fetch (port 8888) and the heartbeat output plugin (port 8000), so a single trusted CA is enough for an agent to work end to end.

If Telegraf Controller uses a self-signed certificate, the certificate is its own CA. Distribute the certificate file itself to each agent.

Linux macOS Windows Docker

Linux

  1. Copy the CA certificate to the system certificate directory:

    sudo cp telegraf-controller-ca.crt /usr/local/share/ca-certificates/

  2. Update the system trust store:

    sudo update-ca-certificates

  3. Restart the Telegraf agent.

macOS

  1. Add the CA certificate to the system keychain and mark it as trusted:

    sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain telegraf-controller-ca.crt

  2. Restart the Telegraf agent.

Windows

  1. Import the CA certificate into the trusted root store (run PowerShell as Administrator):

    Import-Certificate -FilePath "telegraf-controller-ca.crt" `
  -CertStoreLocation Cert:\LocalMachine\Root

  2. Restart the Telegraf agent.

Docker

Mount the CA certificate into the agent container’s system certificate directory. The official Telegraf image reads CA certificates from /etc/ssl/certs/:

services:
  telegraf:
    image: telegraf:latest
    volumes:
      - /path/on/host/telegraf-controller-ca.crt:/etc/ssl/certs/telegraf-controller.pem:ro

Make sure the certificate file on the host is readable by the container (for example, chmod 644). If the container cannot read the file, certificate verification still fails.

Configure TLS in the heartbeat plugin

Trusting the CA at the system level is the recommended approach because it applies to every connection the agent makes. If you cannot modify the agent’s system trust store, the native [[outputs.heartbeat]] plugin also accepts standard Telegraf TLS options. Add tls_ca to the heartbeat block to trust the CA for heartbeats only:

[[outputs.heartbeat]]
  url = "https://telegraf-controller.example.com:8000/agents/heartbeat"
  instance_id = "&{agent_id}"
  tls_ca = "/etc/telegraf/telegraf-controller-ca.pem"

tls_ca applies only to the heartbeat connection. The configuration fetch on port 8888 still relies on the agent’s system trust store, so trusting the CA system-wide remains the most reliable option.

Because Telegraf Controller does not use mutual TLS, you do not need to set tls_cert or tls_key in the heartbeat block.

Verify the connection

After you trust the certificate and restart the agent, check the Telegraf logs. A successful start loads the configuration over HTTPS without a certificate error:

I! Loading config: https://telegraf-controller.example.com:8888/api/configs/<id>/toml
I! Starting Telegraf 1.38.2

In Telegraf Controller, confirm the agent appears with an OK status, which shows that heartbeats are being received.

Troubleshoot certificate errors

If an agent logs tls: failed to verify certificate: x509: certificate signed by unknown authority, the agent does not trust the CA that signed the Telegraf Controller certificate. Confirm that:

  • The CA certificate is installed in the agent’s system trust store, or tls_ca is set in the heartbeat block.
  • The certificate is valid for the hostname the agent uses to connect.
  • In Docker, the mounted certificate file is readable by the container.

For more installation and startup issues, see Troubleshoot Telegraf Controller installation.

Was this page helpful?

Thank you for your feedback!

© 2026 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

  • InfluxDB Cloud
  • InfluxDB OSS or Enterprise
AWS

  • US West (Oregon)

GCP
Azure
Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

InfluxDB OSS 2.9.0: API tokens are hashed by default

Stronger token security in InfluxDB OSS 2.9.0 — tokens are hashed on disk by default. Existing tokens are hashed on first startup and can’t be recovered afterward. Capture any plaintext tokens you still need before you upgrade.

View InfluxDB OSS 2.9.0 release notes

Hashed tokens authenticate exactly like unhashed tokens — clients and integrations keep working.

Also new in 2.9.0:

  • Configurable backup compression
  • Restore support for backups containing hashed tokens
  • Tighter Edge Data Replication queue validation
  • Flux upgrade
  • Compaction reliability improvements

Key enhancements in Explorer 1.9

Explorer 1.9 is now available with InfluxQL support, an AI-assisted Flux to SQL converter (beta), and new live sample data simulators.

View Explorer 1.9 release notes

Explorer 1.9 includes new features and improvements that make it easier to query, visualize, and manage data.

Highlights:

  • Flux to SQL converter (beta): Convert Flux queries to SQL with an AI-assisted converter.
  • InfluxQL support: Query data with InfluxQL in the Data Explorer and dashboards, and save and load InfluxQL queries.
  • InfluxQL visualizations: Render line and bar charts from InfluxQL results with per-tag series grouping.
  • Query error history: Review a history of query errors in the query tool.
  • Live sample data simulators: Generate continuous live sample data with new bird data and signal generator simulators.

For more details, see Explorer 1.9 release notes

InfluxDB 3.10 is now available

InfluxDB 3 Core 3.10 adds an automatic catalog format upgrade, a configurable query-concurrency limit, and processing engine improvements.

Key updates in InfluxDB 3 Core 3.10:

  • Catalog format upgrade: the on-disk catalog automatically upgrades from format v2 to v3 on first 3.10 startup. Migration is one-way—back up your catalog before upgrading.
  • --max-concurrent-queries: limit concurrent queries (adjustable at runtime).
  • GET /ready endpoint for readiness probes.
  • Processing engine: cross-database queries and trigger lockdown flags.

For more information, see the InfluxDB 3 Core release notes.

InfluxDB 3.10 is now available

InfluxDB 3 Enterprise 3.10 adds automated backup and restore, row-level deletions, and user management, with an automatic catalog format upgrade and performance preview improvements.

Key updates in InfluxDB 3 Enterprise 3.10:

  • Catalog format upgrade: the on-disk catalog automatically upgrades from format v2 to v3 on first 3.10 startup. Migration is one-way—back up your catalog before upgrading.
  • Automated backup and restore (beta)
  • Row-level deletions
  • User management (authentication and RBAC) — preview
  • Performance preview improvements

Backup and restore, row-level deletions, and the performance preview require the Enterprise storage engine upgrade (opt-in beta). Beta and preview features are subject to breaking changes and aren’t recommended for production use.

For more information, see the InfluxDB 3 Enterprise release notes

Telegraf Enterprise is now generally available

Telegraf Enterprise is now generally available, along with Telegraf Controller v1.0.

Telegraf Enterprise combines Telegraf Controller, a centralized management console for Telegraf, with official support from InfluxData. Manage configurations, monitor fleet health, and operate tens of thousands of Telegraf agents from a single system.

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On September 15, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2