Certificate error with renderer docker image and https

Hello,

I’m using grafana 9.2 docker image with grafana renderer latest docker image.
But rendering does not work because of the certificate used for grafana.
We get the following error in the logging:

{“failure”:“net::ERR_CERT_AUTHORITY_INVALID”,“level”:“error”,“message”:“Browser request failed”,“method”:“GET”,“url”:"https://grafana-url:3000

We use the following environment variables on grafana:

  - GF_RENDERING_SERVER_URL=http://renderer:8081/render
  - GF_RENDERING_CALLBACK_URL=https://grafana-url:3000/

Could someone point me to the environment variable for ignoring https errors?

Thanks in advance,

Ronald

I have the same issue, any one can help on that.

Hi @ronaldbuffing,

Welcome to the :grafana: community support forums !!

Please check the following documentation which describes the troubleshooting steps for the Image Render Plugin:

I hope this helps.

Thank you for the link but I think the troubleshooting steps don’t apply to the docker image for the image-renderer!

Please try to increase the log level and check the docker logs so that can view what the complete error message is about and it could help for further investigation.

Here are the logs:

Image-renderer docker:

{“err”:“Error: net::ERR_CERT_AUTHORITY_INVALID at [https ://x.x.x.x:3000/d-solo/mvrzTKxnk/scapacity-management?orgId=1&refresh=5m&from=1651063990218&to=1666871590218&panelId=21&width=1000&height=500&tz=Europe%2FAmsterdam&render=1\n](https ://x.x.x.x.x:3000/d-solo/mvrzTKxnk/sbt-capacity-management?orgId=1&refresh=5m&from=1651063990218&to=1666871590218&panelId=21&width=1000&height=500&tz=Europe%2FAmsterdam&render=1%5Cn) at navigate (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/FrameManager.js:156:23)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at async FrameManager.navigateFrame (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/FrameManager.js:131:21)\n at async Frame.goto (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/FrameManager.js:512:16)\n at async Page.goto (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/Page.js:1167:16)\n at async Browser.takeScreenshot (/usr/src/app/build/browser/browser.js:256:13)\n at async Browser.render (/usr/src/app/build/browser/browser.js:230:20)\n at async HttpServer.render (/usr/src/app/build/service/http-server.js:53:28)”,“level”:“error”,“message”:“Error while trying to prepare page for screenshot”,“url”:https://x.x.x.x:3000/d-solo/mvrzTKxnk/sbt-capacity-management?orgId=1&refresh=5m&from=1651063990218&to=1666871590218&panelId=21&width=1000&height=500&tz=Europe%2FAmsterdam&render=1}

{“err”:“TimeoutError: waiting for function failed: timeout 60000ms exceeded\n at new WaitTask (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/DOMWorld.js:528:34)\n at DOMWorld.waitForFunction (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/DOMWorld.js:479:26)\n at Frame.waitForFunction (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/FrameManager.js:1010:32)\n at Page.waitForFunction (/usr/src/app/node_modules/puppeteer/lib/cjs/puppeteer/common/Page.js:2490:33)\n at /usr/src/app/build/browser/browser.js:284:29\n at Browser.withTimingMetrics (/usr/src/app/build/browser/browser.js:411:20)\n at Browser.takeScreenshot (/usr/src/app/build/browser/browser.js:280:24)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at async Browser.render (/usr/src/app/build/browser/browser.js:230:20)\n at async HttpServer.render (/usr/src/app/build/service/http-server.js:53:28)”,“level”:“error”,“message”:“Error while waiting for the panels to load”,“url”:https://x.x.x.x.x:3000/d-solo/mvrzTKxnk/sbt-capacity-management?orgId=1&refresh=5m&from=1651063990218&to=1666871590218&panelId=21&width=1000&height=500&tz=Europe%2FAmsterdam&render=1}

Grafana docker:

logger=rendering renderer=http t=2022-10-31T07:56:18.172371415Z level=debug msg="calling remote rendering service" url=http ://renderer:8081/render/version

logger=cleanup t=2022-10-31T07:56:18.181126431Z level=info msg="Completed cleanup jobs" duration=8.163771ms

logger=rendering renderer=http t=2022-10-31T08:05:21.464978824Z level=info msg=Rendering path="d-solo/AzGbq4VVz/lon-capacity-management?orgId=1&refresh=5m&from=1666595123867&to=1667203523867&panelId=61&width=1000&height=500&tz=Europe%2FAmsterdam"

logger=rendering renderer=http t=2022-10-31T08:05:21.48677008Z level=debug msg="calling remote rendering service" url=http ://renderer:8081/render?deviceScaleFactor=1.000000&domain=x.x.x.x.x&encoding=&height=500&renderKey=J2LEKGMu424KUF98m60x0MdALbwaX13U&timeout=60&timezone=Europe%2FAmsterdam&url=https%3A%2F%2Fx.x.x.x.x%3A3000%2Fd-solo%2FAzGbq4VVz%2Flon-capacity-management%3ForgId%3D1%26refresh%3D5m%26from%3D1666595123867%26to%3D1667203523867%26panelId%3D61%26width%3D1000%26height%3D500%26tz%3DEurope%252FAmsterdam%26render%3D1&width=1000

server.go:3230: http: TLS handshake error from [192.168.64.1:51812](http ://192.168.64.1:51812/): remote error: tls: unknown certificate

Hi @ronaldbuffing ,

Try to add this option in the docker-compose file as it might be helpful to resolve it.

GF_RENDERER_PLUGIN_IGNORE_HTTPS_ERRORS=true

Let us know the results.

I already have this environment variable set for the grafana docker image but this does not resolve the issue.

environment:

  - GF_RENDERER_PLUGIN_IGNORE_HTTPS_ERRORS=true

  - GF_PATHS_CONFIG=/var/lib/grafana/grafana.ini

  - GF_RENDERING_SERVER_URL=http://renderer:8081/render

  - GF_RENDERING_CALLBACK_URL=https://x.x.x.x:3000/

  - GF_LOG_FILTERS=rendering:debug

Thanks for the quick reply.

Looking again at the attached logs you provided, it says:

server.go:3230: http: TLS handshake error from [192.168.64.1:51812](http ://192.168.64.1:51812/): remote error: tls: unknown certificate

So the error comes from the server with IP [192.168.64.1:51812] when trying to do a handshake.

To me it sounds like an issue with the certificate validity. I google around and found many related posts and threads but this one seems to be giving good information. Therefore please check and hopefully you may find the root cause and provide the solution to this post for other involved users.

There is nothing wrong with the certificate.
The ip is the ip of the grafana-image-renderer docker .
Setting the environment variable should ignore the https errors.
Please involve the grafana-image-renderer developer for this issue.

Hi @ronaldbuffing,

Could you please provide me with the complete docker-compse.yml and the version you used before?

Also, can you please provide as how you configure your SSL cert (i guess it is defined in the docker-compose file)?

Thanks

Below my docker-compose file:

grafana:
restart: always
image: grafana/grafana-enterprise:9.2.0
volumes:
- /opt/docker/metrics/grafana:/var/lib/grafana
ports:
- "3000:3000"
links:
- influxdb
depends_on:
- influxdb
environment:
- GF_RENDERING_IGNORE_HTTPS_ERRORS=true
- GF_RENDERER_PLUGIN_IGNORE_HTTPS_ERRORS=true
- GF_PLUGIN_GRAFANA_IMAGE_RENDERER_RENDERING_IGNORE_HTTPS_ERRORS=true
- GF_PATHS_CONFIG=/var/lib/grafana/grafana.ini
- GF_RENDERING_SERVER_URL=http://renderer:8081/render
- GF_RENDERING_CALLBACK_URL=https://xxxx:3000/
- GF_LOG_FILTERS=rendering:debug

renderer:
image: grafana/grafana-image-renderer:latest
ports:
- "8081"

Hi @ronaldbuffing,

Thanks for pasting the docker-compose.yml file.

Please move this environment variable:

- GF_RENDERING_IGNORE_HTTPS_ERRORS=true

from grafana into the renderer section and see if that helps.