Grafana Ally - Unable to connect to web UI after enabling TLS

Grafana Alloy
1

Hello there,

I’ve enabled TLS on my Grafana Alloy instance and I can see that it is working fine and pushing metrics to my Mimir instance. I’m also able to connect to it via curl and openssl but Chrome or Firefox are refusing to connect with an error “ERR_TUNNEL_CONNECTION_FAILED”

I’m using default ciphers and TLS version - openssl output (edited):


openssl s_client -showcerts -connect grafana-alloy-podman1.ref:12346
CONNECTED(00000003)
depth=1 C = DE, ST = H, L = E, O = AG, OU = IT, CN = refinst-ca
verify return:1
depth=0 C = DE, ST = H, L = E, O = AG, OU = IT, CN = grafana-alloy-podman1.ref
verify return:1
---
Certificate chain
 0 s:C = DE, ST = H, L = E, O = AG, OU = IT, CN = grafana-alloy-podman1.ref
   i:C = DE, ST = H, L = E, O = AG, OU = IT, CN = refinst-ca
-----BEGIN CERTIFICATE-----
MIIFlzCCA3+gAwIBAgIUQSgUYeDlwwr2/Q693ELNNQ8ISlowDQYJKoZIhvcNAQEL
BQAwcDELMAkGA1UEBhMCREUxDzANBgNVBAgMBkhlc3NlbjERMA8GA1UEBwwIRXNj
aGJvcm4xGzAZBgNVBAoMEkRldXRzY2hlIEJvZXJzZSBBRzELMAkGA1UECwwCSVQx
.....

-----END CERTIFICATE-----
---
Server certificate
subject=C = DE, ST = H, L = E, O = AG, OU = IT, CN = grafana-alloy-podman1.ref

issuer=C = DE, ST = H, L = E, O = AG, OU = IT, CN = refinst-ca

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1975 bytes and written 387 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 596EB1DE7FEA5B8D6915127B499C2EF8007D774278E49A8F38D16E72AB5FA04A
    Session-ID-ctx:
    Resumption PSK: DC8BCD44EDCF03E3F2C938B827B5D7A4C477A3CEEC765185D142E7970C763F39
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 16 38 69 32 0e 52 5e e8-e2 6f 58 15 56 fb e4 55   .8i2.R^..oX.V..U
    0010 - e6 b0 30 37 9d ad 5b ad-11 62 c3 08 20 c5 8a 6a   ..07..[..b.. ..j
    0020 - 4b bf 64 a9 2e 38 09 59-48 f9 44 97 f2 b8 d6 68   K.d..8.YH.D....h
    0030 - 0b 7d 37 27 b9 9e 0e dd-95 63 06 83 3d 13 66 5c   .}7'.....c..=.f\
    0040 - 5a 8e 11 1c e2 3c 5f 69-ab 74 0d 39 3d 9f a7 1f   Z....<_i.t.9=...
    0050 - 72 14 bb b9 cc 0d 14 3e-34 a8 ff 30 f1 02 3c e9   r......>4..0..<.
    0060 - 7f da ba ad bc fc e0 67-89                        .......g.

    Start Time: 1739893189
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Anybody able to successfully use TLS and at the same time access web UI ?