Grafana https configuration


#1

Hi everyone! I’m struggling to configure Grafana to work via https. I have certificates generated by Let’s Encrypt, and grafana.ini configured like this:

[server]
# Protocol (http or https)
protocol = https

# The ip address to bind to, empty will bind to all interfaces
;http_addr =

# The http port  to use
http_port = 3000

# The public facing domain name used to access grafana from a browser
domain = localhost

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = http://localhost:3000

# Log web requests
router_logging = false

# the path relative working path
static_root_path = public

# enable gzip
enable_gzip = false

# https certs & key file
cert_file = /etc/letsencrypt/live/mysite/fullchain.pem
cert_key = /etc/letsencrypt/live/mysite/privkey.pem

my openhab running on 443 port, so the question is… Is it possible to run both grafana and openhab on https?


#2

you can run https on any port

root_url = http://localhost:3000
```
This should be the url you want to use in the browser, so https://my_certififed_domain:3000  (if you want to use port 3000 for https)

#3

this config leading to an error - grafana-server is failing to start

  [server]
    # Protocol (http or https)
    protocol = https

    # The ip address to bind to, empty will bind to all interfaces
    ;http_addr =

    # The http port  to use
    #http_port = 3000

    # The public facing domain name used to access grafana from a browser
    #domain = localhost

    # Redirect to correct domain if host header does not match domain
    # Prevents DNS rebinding attacks
    #enforce_domain = false

    # The full public facing url you use in browser, used for redirects and emails
    # If you use reverse proxy and sub path specify full url (with sub path)
    root_url = https://localhost:3000

    # Log web requests
    #router_logging = false

    # the path relative working path
    #static_root_path = public

    # enable gzip
    #enable_gzip = false

    # https certs & key file
    cert_file = /etc/letsencrypt/live/mysite/fullchain.pem
    cert_key = /etc/letsencrypt/live/mysite/privkey.pem

is there someone who did such kind of thing?

UPD: in grafana log file I found

t=2017-04-13T14:48:42+0000 lvl=info msg="Initializing HTTP Server" logger=http.server address=0.0.0.0:3000 protocol=https subUrl=
t=2017-04-13T14:48:42+0000 lvl=eror msg="Fail to start server" logger=server error="open /etc/letsencrypt/live/mysite/fullchain.pem: permission denied"
t=2017-04-13T14:48:42+0000 lvl=info msg="Shutdown started" logger=server code=1 reason="Startup failed"

and that is weird, because

root@server:~# stat /etc/letsencrypt/live/mysite/fullchain.pem
  File: ‘/etc/letsencrypt/live/mysite/fullchain.pem’ -> ‘../../archive/mysite/fullchain1.pem’
  Size: 48              Blocks: 0          IO Block: 4096   symbolic link
Device: b302h/45826d    Inode: 517147      Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-04-10 11:38:32.720709836 +0000
Modify: 2017-04-10 11:38:32.720709836 +0000
Change: 2017-04-10 11:38:32.720709836 +0000
 Birth: -

#4

Seems there is a permission problem


#5

problem was solved by placing certificate key file to grafana folder /etc/grafana/


#6

Can someone help me on configuring the https for grafana? I am running grafana as a windows service in my local host.


#7

how to solve this permission error. please help.

Placing cert file to /etc/grafana is not a solution.

the solution work for me is to copy the cert and private key to some other location like (/opt or something) and mention the same path in grafana.ini


#8

Do you need help? Is sounds like you have already figured this out?


#9

Thanks for reply.

But I have solved the issue.

Thanks again.


#10

Hi @torkel ,

My grafana works perfect with https, the only thing is when i try to check this using online tool it shows

“The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.”

I have have verified the same certificate with placing test site with same binding in IIS and then it not shows any chain issue. but don’t know why it is showing for grafana site, is there any configs we need to do for CA and intermediate certs in grafana config ? all these certificates are installed in servers cert repository.

Thanks.


#11

Hi,

I resolved it by giving cert path to certificates bundle.pem file.

Thanks.