Grafana Docker Plesk Let's Encrypt Cert

I have the following problem. I run Grafana in a Docker container via Plesk Obsidian and now I want to reach Grafana via https. Of course I want to use the already created certificate of my domain.

For that I have added with volume mapping the Docker directory “/cert” to “/usr/local/psa/var/modules/letsencrypt/etc/live/DOMAIN” containing the .pem files.
GF_SERVER_CERT_FILE = /cert/fullchain.pem
GF_SERVER_PROTOCOL = https
GF_SERVER_CERT_KEY = /cert/privkey.pem
(Don’t be confused, the environment variables in Plesk are probably specified like this)

But now I get the message “open /cert/fullchain.pem: permission denied”, why this happens is of course obvious to me - but how should I fix it?

The permissions of the directory /live and the /DOMAIN directory are:
drwx------ 4 psaadm psaadm 4,0K Feb 20 10:54 live

The permissions of the files in /DOMAIN are:
lrwxrwxrwx 1 psaadm psaadm 37 Feb 16 18:14 cert.pem → …/…/archive/_plesk_domain/cert2.pem
lrwxrwxrwx 1 psaadm psaadm 38 Feb 16 18:14 chain.pem → …/…/archive/_plesk_domain/chain2.pem
lrwxrwxrwx 1 psaadm psaadm 42 Feb 16 18:14 fullchain.pem → …/…/archive/_plesk_domain/fullchain2.pem
lrwxrwxrwx 1 psaadm psaadm 40 Feb 16 18:14 privkey.pem → …/…/archive/_plesk_domain/privkey2.pem

If I copy the privkey.pem and the fullchain.pem into another directory, then give the directory chown 472:root & chmod 777 and the files chmod +r, then it works. But I can’t copy the files every 3 months and most of all I want to have these files only once.

I’m not sure what effect it would have if I assign a different user to the certificate type files or similar, or if I should add the user (But which one is it when using a docker?) to the psaadm group?

In any case I am up for anything that works :smiley:

1 Like

I am fighting with this the last couple of hours, too…
Any solution?

Well, currently I just let copy the certificate card to another folder with unlimited permissions. Adding every user to the Plesk user group did not work.

But of course this does not match the security requirements, because this folder has no restrictions… But at least all services can access the certificates there. Because I work with Docker, I have also not quite figured out how I can create a special group to assign the rights there only to the appropriate Docker.

Yeah, feels all not that right… I just went with running grafana as a root user (–user root:root)…

Next try and hopefully the “best way” to go, at least for my use-case:

traefik

together with grafana and influxdb in a docker-compose… lets see how this works =)