Hello Grafana Community,
I’ve recently been trying to switch my on-premises Grafana OnCall setup to HTTPS, but I’m facing a persistent issue with the OnCall plugin. Whenever I enable HTTPS in Grafana, I encounter an error in the OnCall plugin as shown in the attached screenshot, which suggests a problem related to SSL/TLS encryption.
I used the standard hobby compose file and added environment variables for HTTPS. However, there seems to be no detailed documentation on how to enable HTTPS specifically for Grafana OnCall. Following are the general steps suggested by Grafana for enabling TLS in Grafana OnCall:
To connect TLS to the OSS version of Grafana OnCall, you can follow these general steps:
- Obtain a TLS certificate: You will need a TLS certificate issued by a trusted certificate authority (CA) or a self-signed certificate. Ensure that the certificate includes the necessary domain or IP address.
- Configure Grafana OnCall: Open the configuration file for Grafana OnCall (usually named
config.yamlorgrafana-oncall.yaml). Look for the TLS-related configuration options. - Enable TLS: Set the
tls.enabledoption totrueto enable TLS for Grafana OnCall. - Provide certificate details: Specify the paths to the TLS certificate and private key files using the
tls.certFileandtls.keyFileoptions, respectively. These files should contain the corresponding certificate and private key for your TLS certificate. - Configure other TLS options: Depending on your requirements, you may need to configure additional TLS options such as
tls.caFile(path to the CA certificate file),tls.insecureSkipVerify(to skip certificate verification),tls.cipherSuites(to specify acceptable cipher suites), etc. Adjust these options as needed. - Save the configuration file: Once you have made the necessary changes, save the configuration file.
- Restart Grafana OnCall: Restart the Grafana OnCall service or container to apply the new TLS configuration.
After completing these steps, the OSS version of Grafana OnCall should be configured to use TLS for secure communication. Make sure to update any relevant URLs or endpoints to use the appropriate https:// scheme.
Please note that the specific steps may vary depending on your Grafana OnCall deployment and configuration. It’s recommended to refer to the official Grafana OnCall documentation or seek assistance from the Grafana community for detailed instructions tailored to your setup.
version: “3.9”
x-environment: &oncall-environment
DATABASE_TYPE: sqlite3
BROKER_TYPE: redis
BASE_URL: $DOMAIN
SECRET_KEY: $SECRET_KEY
FEATURE_PROMETHEUS_EXPORTER_ENABLED: ${FEATURE_PROMETHEUS_EXPORTER_ENABLED:-false}
PROMETHEUS_EXPORTER_SECRET: ${PROMETHEUS_EXPORTER_SECRET:-}
REDIS_URI: redis://redis:6379/0
DJANGO_SETTINGS_MODULE: settings.hobby
CELERY_WORKER_QUEUE: “default,critical,long,slack,telegram,webhook,retry,celery,grafana”
CELERY_WORKER_CONCURRENCY: “1”
CELERY_WORKER_MAX_TASKS_PER_CHILD: “100”
CELERY_WORKER_SHUTDOWN_INTERVAL: “65m”
CELERY_WORKER_BEAT_ENABLED: “True”
GRAFANA_API_URL: http://grafana:3000
services:
engine:
image: grafana/oncall
restart: always
ports:
- “8080:8080”
command: sh -c “uwsgi --ini uwsgi.ini”
environment: *oncall-environment
volumes:
- oncall_data:/var/lib/oncall
depends_on:
oncall_db_migration:
condition: service_completed_successfully
redis:
condition: service_healthy
celery:
image: grafana/oncall
restart: always
command: sh -c “./celery_with_exporter.sh”
environment: *oncall-environment
volumes:
- oncall_data:/var/lib/oncall
depends_on:
oncall_db_migration:
condition: service_completed_successfully
redis:
condition: service_healthy
oncall_db_migration:
image: grafana/oncall
command: python manage.py migrate --noinput
environment: *oncall-environment
volumes:
- oncall_data:/var/lib/oncall
depends_on:
redis:
condition: service_healthy
redis:
image: redis:7.0.5
restart: always
expose:
- 6379
volumes:
- redis_data:/data
deploy:
resources:
limits:
memory: 500m
cpus: “0.5”
healthcheck:
test: [“CMD”, “redis-cli”, “ping”]
timeout: 5s
interval: 5s
retries: 10
prometheus:
image: prom/prometheus
hostname: prometheus
restart: always
ports:
- “9090:9090”
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
- prometheus_data:/prometheus
profiles:
- with_prometheus
grafana:
image: “grafana/${GRAFANA_IMAGE:-grafana:latest}”
restart: always
ports:
- “3000:3000”
environment:
GF_SECURITY_ADMIN_USER: ${GRAFANA_USER:-admin}
GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD:-admin}
GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: grafana-oncall-app
GF_INSTALL_PLUGINS: grafana-oncall-app
GF_SERVER_PROTOCOL: https
GF_SERVER_CERT_FILE: /etc/ssl/certs/grafana.pem
GF_SERVER_CERT_KEY: /etc/ssl/certs/grafana.pem
GF_USERS_DEFAULT_THEME: light
volumes:
- grafana_data:/var/lib/grafana
- ./certs/grafana.pem:/etc/ssl/certs/grafana.pem:ro
deploy:
resources:
limits:
memory: 500m
cpus: “0.5”
profiles:
- with_grafana
volumes:
grafana_data:
prometheus_data:
oncall_data:
redis_data: