#The below steps were run in a WSL2 Ubuntu 18.04 Linux environment using cfssl and telegraf docker containers.
# I've also reproduced the issue in Windows and in Linux outside docker. It should be reproducible anywhere with any telegraf 1.14 (and probably older) binary in any context

mkdir cfssl

cat << EOF > cfssl/root_signing_config.json
{
  "signing": {
    "default": {
      "key": {
          "algo": "ecdsa",
          "size": 256
      },
      "names": [{}],
      "expiry": "168h"
    },
    "profiles": {
      "server": {
        "expiry": "8760h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "client": {
        "expiry": "8760h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      },
      "client-server": {
        "expiry": "21600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}
EOF

cat << EOF > cfssl/root_csr.json
{
  "CN": "telegraf root ca",
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C": "US",
      "L": "Raleigh",
      "ST": "North Carolina",
      "OU": "Telegraf",
      "O": "InfluxDB"
    }
  ]
}
EOF

cat << EOF > cfssl/cert_csr.json
{
    "key": {
      "algo": "ecdsa",
      "size": 256
    },
    "names": [{}]
}
EOF

#Generate the CA
sudo docker run --rm -v "${PWD}"/cfssl:/cfssl --workdir "/cfssl" --entrypoint="/bin/bash" cfssl/cfssl -c 'cfssl gencert -initca root_csr.json | cfssljson -bare ca'

#Generate server, client, and mixed client-server certificates:
sudo docker run --rm -v "${PWD}"/cfssl:/cfssl --workdir "/cfssl" --entrypoint="/bin/bash" cfssl/cfssl -c 'cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=root_signing_config.json -profile="server"        -cn="server.telegraf.influxdb.local" -hostname="server,server.telegraf.influxdb.local" cert_csr.json | cfssljson -bare server'
sudo docker run --rm -v "${PWD}"/cfssl:/cfssl --workdir "/cfssl" --entrypoint="/bin/bash" cfssl/cfssl -c 'cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=root_signing_config.json -profile="client"        -cn="client.telegraf.influxdb.local" -hostname="client,client.telegraf.influxdb.local" cert_csr.json | cfssljson -bare client'
sudo docker run --rm -v "${PWD}"/cfssl:/cfssl --workdir "/cfssl" --entrypoint="/bin/bash" cfssl/cfssl -c 'cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=root_signing_config.json -profile="client-server" -cn="mixed.telegraf.influxdb.local"  -hostname="mixed,mixed.telegraf.influxdb.local"   cert_csr.json | cfssljson -bare mixed'

#View each cert and show that openssl sees them as valid
openssl x509 -in cfssl/server.pem -noout -text && openssl verify -verbose -CAfile cfssl/ca.pem cfssl/server.pem
openssl x509 -in cfssl/client.pem -noout -text && openssl verify -verbose -CAfile cfssl/ca.pem cfssl/client.pem
openssl x509 -in cfssl/mixed.pem  -noout -text && openssl verify -verbose -CAfile cfssl/ca.pem cfssl/mixed.pem

#telegraf config
cat << EOF > telegraf.conf
[[inputs.x509_cert]]
  sources = [
    "/cfssl/server.pem",
    "/cfssl/client.pem",
    "/cfssl/mixed.pem",
  ]
  tls_ca = "/cfssl/ca.pem"
  interval = "3600s"

[[outputs.file]]
  files = ["stdout"]
EOF

#Test the telegraf config
sudo docker run --rm -v "${PWD}"/telegraf.conf:/etc/telegraf/telegraf.conf:ro -v "${PWD}"/cfssl:/cfssl telegraf -c --test

# cleanup
rm -rf ./cfssl ./telegraf.conf

#Expected outcome: Three x509_cert measurements all with verification=valid tags and verification_code=0i fields, with no verification_error fields
#Actual outcome: One of the three ouputs, the certificate with only "TLS Web Server Authentication" extended key usage, has a verification=invalid tag, and fields: verification_code=1i,verification_error="x509: certificate specifies an incompatible key usage"

# #Telegraf Output:
# 2020-06-29T18:13:43Z I! Starting Telegraf 1.14.4
# 2020-06-29T18:13:43Z I! Using config file: /etc/telegraf/telegraf.conf
# > x509_cert,common_name=server.telegraf.influxdb.local,host=ac4b94b15198,issuer_common_name=telegraf\ root\ ca,public_key_algorithm=ECDSA,san=server\,server.telegraf.influxdb.local,serial_number=2e1fe20e3ceb859e285bf13c3994db1e343da552,signature_algorithm=ECDSA-SHA256,source=/cfssl/server.pem,verification=valid age=1183i,enddate=1624989240i,expiry=31534816i,startdate=1593453240i,verification_code=0i 1593454424000000000
# > x509_cert,common_name=client.telegraf.influxdb.local,host=ac4b94b15198,issuer_common_name=telegraf\ root\ ca,public_key_algorithm=ECDSA,san=client\,client.telegraf.influxdb.local,serial_number=729b7232690c458f4c20d5f6d88740f3242f5c,signature_algorithm=ECDSA-SHA256,source=/cfssl/client.pem,verification=invalid age=1063i,enddate=1624989360i,expiry=31534936i,startdate=1593453360i,verification_code=1i,verification_error="x509: certificate specifies an incompatible key usage" 1593454424000000000
# > x509_cert,common_name=mixed.telegraf.influxdb.local,host=ac4b94b15198,issuer_common_name=telegraf\ root\ ca,public_key_algorithm=ECDSA,san=mixed\,mixed.telegraf.influxdb.local,serial_number=1191e1c3aba6e27cdd0aff9e7b2b51099b2873f3,signature_algorithm=ECDSA-SHA256,source=/cfssl/mixed.pem,verification=valid age=1063i,enddate=1671213360i,expiry=77758936i,startdate=1593453360i,verification_code=0i 1593454424000000000