Configure TLS for API and UI Access
To safeguard inbound communications to your Leader UI and API (default port 9000), enable Transport Layer Security (TLS) on the Leader.
This topic applies to on-prem and customer-managed Leader deployments only. For Cribl.Cloud deployments, TLS is enabled by default and managed automatically by the Cribl.Cloud platform.
This topic focuses on securing the Leader UI/API listener. For other TLS configurations, see:
- Secure Leader/Edge Nodes Communication: Secure the Leader-Edge Node control-plane channel (default port 4200).
- Import Certificates and Keys: Import and manage TLS certificates for reuse across multiple purposes.
Prerequisites
Before you enable TLS for the Leader UI/API, you need a TLS/SSL certificate and private key imported into Cribl Edge. For details on generating or importing certificates, see Import Certificates and Keys.
Step 1: Enable TLS for the Leader UI/API
After you have a certificate imported at Settings > Globals > Security > Certificates, enable TLS for the Leader UI/API listener:
- In the Leader UI, go to Settings > Global > General Settings > API Server Settings > TLS.
- Toggle Enabled on.
- In Certificate name, select a certificate you’ve imported (for example,
leader-ui-tls). - (Optional) Adjust any additional TLS options as needed (for example, minimum/maximum TLS versions).
- Select Save.
After you save:
The Leader UI/API now listens on HTTPS.
Access the UI/API using:
https://<hostname>:<port>/For example:
https://leader.example.com:9000/settings/system
After enabling TLS, you must prepend
https://to all Cribl Edge URLs on the Leader Node.
Step 2 (Optional): Enable TLS for Leader-Edge Node Communications
To secure the Leader-Edge Node control-plane channel (port 4200), see Secure Leader/Edge Nodes Communication. That guide walks you through:
- Uploading the same certificate (or a different one) to the relevant Fleets.
- Enabling TLS on each Edge Node’s distributed settings.
- Enabling TLS for the Leader’s distributed endpoint so Edge Nodes connect securely.
Advanced: Configure TLS via Config Files
Most deployments should configure TLS through the UI. Use this method only when you have a clear config-as-code workflow. Avoid ad-hoc manual edits of local config files on running systems; prefer the UI or a consistent automation pipeline that owns these files.
If you manage Cribl Edge via automation (for example, configuration management, containers, or Cribl as Code), you can configure the Leader UI/API listener in cribl.yml.
Example cribl.yml snippet:
api:
host: 0.0.0.0
port: 9000
disabled: false
ssl:
disabled: false
privKeyPath: /path/to/myKey.pem
certPath: /path/to/myCert.pemFor details on generating and importing certificates and keys used in this example, see Import Certificates and Keys.
Restore Unencrypted Private Keys
In Cribl Edge 4.1 and newer, for enhanced security, Cribl encrypts TLS certificate private keys in configuration files when you add or modify them. Before upgrading to v.4.1.0 (or newer), back up your existing unencrypted key files - see Safeguarding Unencrypted Private Keys for Rollback.
If you need to roll back from Cribl Edge 4.1 or later to an earlier version, follow this procedure to restore the unencrypted private key files that you backed up earlier:
- Stop Cribl Edge 4.1 (or later) on hosts - the Leader and all Edge Nodes.
- Untar the older Cribl Edge version (v.4.0.4, for example) onto the Leader and all Edge Nodes.
- Manually edit each Cribl Edge config file that contains an encrypted private key. Replace each key with its prior unencrypted version.
- Start up Cribl Edge, commit and deploy, and resume normal operations.