Skip to content

Instantly share code, notes, and snippets.

@ramingar

ramingar/clickhouse-ssl-access.md

Last active August 13, 2025 10:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ramingar/c521c09b48a60122317f8cac56e4ae4e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ramingar/c521c09b48a60122317f8cac56e4ae4e to your computer and use it in GitHub Desktop.
Download ZIP
How to set up clickhouse to use SSL connections with self-signed certs
Raw
clickhouse-ssl-access.md
  • Generate the CA and self-signed certs
openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout node.key -out node.csr
openssl x509 -req -in node.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out node.crt -days 365

  • Put the certs in /etc/clickhouse-server/certs/ and adjust the permissions

  • Set up your Clickhouse server

<!-- /etc/clickhouse-server/config.d/config.xml -->
<openSSL>
    <server>
        <certificateFile>/etc/clickhouse-server/certs/node.crt</certificateFile>
        <privateKeyFile>/etc/clickhouse-server/certs/node.key</privateKeyFile>
        <caConfig>/etc/clickhouse-server/certs/ca.crt</caConfig>
        <loadDefaultCAFile>false</loadDefaultCAFile>
        <disableProtocols>sslv2,sslv3</disableProtocols>
        <preferServerCiphers>true</preferServerCiphers>
        <invalidCertificateHandler>
            <name>RejectCertificateHandler</name>
        </invalidCertificateHandler>
    </server>
</openSSL>
<!-- /etc/clickhouse-server/config.d/listen.xml -->
<yandex>
    <listen_host>0.0.0.0</listen_host>  <!-- Accept any interface connections -->
    <https_port>8443</https_port>
    <tcp_port_secure>9440</tcp_port_secure>
</yandex>
  • Set up your Clickhouse client (client's config.xml)
<openSSL>
    <client>
        <caConfig>/etc/clickhouse-server/certs/ca.crt</caConfig>
        <loadDefaultCAFile>false</loadDefaultCAFile>
        <disableProtocols>sslv2,sslv3</disableProtocols>
        <preferServerCiphers>true</preferServerCiphers>
        <invalidCertificateHandler>
            <name>RejectCertificateHandler</name>
        </invalidCertificateHandler>
    </client>
</openSSL>
  • Restart your server
  • Test your server:
clickhouse-client --secure --host <host> --port 9440
curl --cacert /path/to/ca.crt https://<host>:8443/
  • Node's config:
        url                 : 'https://<host>:8443',
        username            : 'default',
        password            : '~',
        database            : 'default',
        request_timeout     : 300000,           // Timeout for the complete request (ms)
        keep_alive          : {
            enabled                : true,
            socket_ttl             : 450000,    // TTL for the socket keep-alive (ms)
            retry_on_expired_socket: true
        },
        max_open_connections: 10,               // Maximum connections simultaneously
        compression         : true,             // Enable compression
        clickhouse_settings : {
            session_timezone: 'UTC'
        },
        tls: {
            ca_cert: fs.readFileSync('./ca.crt'),
//            cert: fs.readFileSync('./node.crt'),  // if you want bidirectionality
//            key: fs.readFileSync('./node.key'),   // if you want bidirectionality
        },
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment