/etc/ssl/private/grafana.key: permission denied

Hi Folks,
I’m finishing a configuration for SSL certs in order to grafana uses TLS/SSL, and I got the following error on an attempt to start the service via systemctl

grafana-server[330353]: logger=server t=2022-11-18T21:44:04.365832806-03:00 level=error msg=“Server shutdown” error=“*api.HTTPServer run error: open /etc/ssl/private/indexer-key.pem: permission denied”

It is requested to me uses the follwoing configuration at grafana.ini:

    protocol = https
    http_port = 3000
    domain = grafana.job-GT62VR-7RE
    root_url = %(protocol)s://%(domain)s/
    cert_file = /etc/ssl/certs/root-ca.pem
    cert_key = /etc/ssl/private/admin-key.pem

Checking for some solutions, I’ve validate the user and group for these files, and granted more permissions, see below:

  -r--r--r-- 1 wazuh-indexer wazuh-indexer 1,2K nov 16 11:58 root-ca.pem (works even without group grafana)
  -rwxrwxrwx 1 root grafana       1,7K nov 16 11:58 admin-key.pem (even with chmod 777, files is not readable)

Let me paste a complete message as picture below:

Please, someone can help me to overcome this situation ?
with chmod 644 (-rw-r–r–) not works

Also, I’ve create a key for these service, as a test, like below, and didn’t work, following the procedure from this site:

Which ask us to generate key and crt file with openssl
openssl genrsa -out grafana.key 2048
openssl req -new -key grafana.key -out grafana.csr

see that not worked:

I’ve just make this test with new certs, but my intent is to uses the already created and used by wazuh and graylog dashborads with no problem, just grafana cannot reads the file.

Thank you for you attention and help,

I’ve found finaly the fix for this issue.

Once you’re in Ubuntu distro, there are special priveleges for folders, and I’ve create the /certs and /private under /etc/grafana folder, instead the /etc/ssl as explained before.

Also give the permission root:grafana for these new folders and 0640 permission to both certs file.

After that, the issue was overcome and service started.