Grafana Windows Version how to implement HTTPS and ldaps LDAPS

Hello all, I am faced with issues with LDAPS and HTTPS.

Firstly I will give you more details about my environment:
I use Microsoft Windows Server 2019 and Grafana Version v7.4.0 Windows version, open-source edition :slight_smile:

My Microsoft Windows Server 2019 is joined to the domain controller.
And the Grafana server is installed in Microsoft Windows Server 2019.

If I understand correctly Grafana standalone doesn’t support HTTPS and needs from a proxy server?
In Linux this job could be done with an apache2 server as a proxy server?
Do you have a solution under Microsoft how could we solve this HTTPS issue?
With stunnel in two sides in the Microsoft Windows Server 2019 and in the Domain controller?
I want to use a signed certificate for the HTTPS from Microsoft Ca server is it possible to do it?
And it’s not acceptable to install in domain controller third-party application…

And for LDAPS need Lnux version of Gafana under Linux and little system modification to implement LDAPS?

I found this in my research but it’s old from 2015.
Someone solve this issue with little system modification:

“embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.11/lib/net/ldap.rb” (row 585)
args = { :method => args, :tls_options => { :ca_file => “my-ca-certs.cer”, :ssl_version => “TLSv1_1”, :verify_mode => OpenSSL::SSL::VERIFY_PEER } }

But we are with Microsoft version of Grafana … is it possible to run ldaps between Windows Version of Grafana and Microsoft DC controller with Active Directory using a certificate signed from Microsoft CA server?

Please could you share your opinion, proposal, experience regarding the topic?
Thank you in advance for your feedback.
I remain at your disposal.
Best regards.

hello and welcome to the forums, can you upgrade to a linux server? thank you

Hello Melrose,
Thank you for joining to the discussion.

First, is it possible or not with Microsoft OS to achieve HTTPS and LDAPS goals by using certificates signed by Microsoft CA server?

If I should migrate to LInux could you confirm in 100% in Linux I can implement HTTPS and LDAPS successfully with signed certificates from Microsoft CA server?

I will use Grafana server in an internal network without an internet connection under the Microsoft environment.

Thank you in advance.

yes your assumptions are correct.

Thank you for confirmation.

Could you help me with implementation?

Is it too difficult to use certificates from CA server with Linux?
And exactly how did you do?

You are mixing a problems:

1.) HTTPS
Yes, standalone Grafana supports HTTPS (TLS). Configure server section properly: protocol,cert_file,cert_key,...:

Cert/key must be in the PEM format and in the file - so don’t expect any Windows native integration - just export them to the file in the correct PEM format and that’s it.

Of course that’s not stopping you to use any reverse proxy, which supports SSL offloading in front of Grafana. It can be even better if it has native Windows cert store integration, so you won’t need export certs/keys to pem files. Also you need reverse proxy if you want to customize TLS - e.g. allowed ciphers, cipher order preference, TLS versions, … because that’s not customizable in the Grafana.

2.) LDAPS
Again, it just be configuration, use_ssl=true, eventually root_ca_cert if ca cert is not available in the system cert store:

Problems debugging: standard - just increase log levels and check the logs and based on the details from the logs tweak Grafana configuration.

Hello Jangaraj,

You confirm that it’s possible to use Windows version of Grafana with HTTPS and LDAPS under Microsoft environment?

Could you tell me more about certificates?
I see Ca certificate and personal certificate in the Windows Server 2019.
I can export them in .cer format using der and base64 format 509x.
I tried but I receives errors, I am sure I don’t use the right format of the certificates.
This is regarding LDAPS.

Regarding the WEB and HTTPS I tried https protocol, port 3000, and certificate signed from CA for the machine in the same format as for LDAPS…

protocol,cert_file,cert_key

Protocol is clear.
Cert file is clear (maybe my format is wrong it’s native Microsoft format)…
Cert key - I don’t have cert key file how to generate it?

Please could you tell me more specific details?

I tried HTTPS, yes it’s work with ssl certificate generated by public certificate authority in format crt and key.

How I can implement ssl with Microsoft certificates?
And how to export them in crt and key format?
Usually when export them they are coming in cer format without key :frowning:

You are really on the wrong forum if you are asking here how to get PEM server certificate (it’s not client/personal certificate!) format from the Windows Server 2019. PEM format is required for the Grafana and you should to check used system/documentation how you can you obtain if from the system, which you are using. Google is always good starting point to find answer - Let Me Google That

1 Like

Thank you Jangaraj.
I will check.

HTTPS is okay I implemented it successfully.
But please could you help me with LDAPS?

t=2021-03-09T23:18:13+0100 lvl=eror msg=“Failed to obtain the LDAP configuration. Please verify the configuration and try again” logger=context userId=1 orgId=1 uname=admin error=“Failed to load LDAP config file: Near line 21 (last key parsed ‘servers.root_ca_cert’): invalid escape character ‘P’; only the following escape characters are allowed: \b, \t, \n, \f, \r, \”, \\, \uXXXX, and \UXXXXXXXX" remote_addr=192.168.0.20

My configuration:

[[servers]]

Ldap server host (specify multiple hosts space separated)

host = “192.168.0.100”

Default port is 389 or 636 if use_ssl = true

#port = 389
port = 636

Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)

#use_ssl = false
use_ssl = true

If set to true, use LDAP with STARTTLS instead of LDAPS

start_tls = false
#start_tls = true

set to true if you want to skip ssl cert validation

#ssl_skip_verify = true
ssl_skip_verify = false

set to the path to your root CA certificate or leave unset to use system defaults

root_ca_cert = “C:\Program Files\GrafanaLabs\grafana\conf\SERVER-ROOTCA-CA.crt”
#root_ca_cert =

Authentication against LDAP servers requiring client certificates

client_cert = “C:\Program Files\GrafanaLabs\grafana\conf\server-sLDAP.crt”
client_key = “C:\Program Files\GrafanaLabs\grafana\conf\server-sLDAP.key”

I generated csr for sldap first from Linux with OpenSSL.
I signed it with SSL template from MS CA server using power shell and cmd.
I converted the signed certificate to .pem with OpenSSL under Linux.
In the end I change the file form pem to crt.
But without success.

I exported in DER 509x root ca certificate from server with grafana and I converted it to pem and then renamed it to crt.

But without success.
I tried and with default .pem the same error.

But for HTTPS is work like expected :slight_smile:

Please spend a minute and learn how to format code in your posts (it’s simple markdown). Make it easy to read for users, pls.

You have error, line of the config where is the error, so you know what’s wrong (sorry I didn’t spend my time yo see what’s wrong due to terrivle formatting .

I don’t understand why you need csr. You are not creating ldaps, you are connecting to existing ldaps - generally to some tls endpoint, so you need only ca certs usually on the client(Grafana) side. You need client cert/key only if LDAPS requires client certificate (mutual tls/mtls/client tls). I would recommend to spend a few minutes on TLS concept to have understanding of the topic and terms.

Hello jangaraj,

This is my first error:
“Failed to load LDAP config file: Near line 21 (last key parsed ‘servers.root_ca_cert’): invalid escape character ‘P’; only the following escape characters are allowed: \b, \t, \n, \f, \r, \”, \, \uXXXX, and \UXXXXXXXX" remote_addr=192.168.0.20"
I tried to skip client certificates.
And in my config file I tried to use only CA certificate.
But the Grafana config file can’t read it…

I exported CA certificate from the Grafana Windows Server machine from his local certificate store from trusted certificate folder.

I tried with crt, cer, and pem without success…
I tried and export from Windows server machine,
Moving the exported CA certificate to other Linux host and to convert it to pem format using OpenSSL but doesn’t help…

Please could you give me guidance?

The scenario is:
Microsoft Server 2019 with Grafana want to talk LDAPS with DC01 using CA certificate from CA01 server.

Where I am wrong?

Thank you in advance.

Hello again all!

I want to tell you that I successfully implement HTTPS and LDAPS!
From Microsoft version of Grafana under Microsoft Server OS!

HTTPS:
The solution is:
1 Generate CSR under Lnux OS using Open SSL and transfer private key to the Grafana server.
2 Transfer CSR file to CA server and sign it with CA server using web server template using power shell and cmd!
Please read here for more details:

3 Transfer it signed to Linus OS and with Open SSL convert it in PEM!
4 Rename it to .crt
5 Transfer it to the Grafana server!
6 In config file of Grafana change HTTP port to HTTPS!
Change port to 443!
Unblock in Microsoft Firewall port 443!
Enable certificate options and define the paths to the certificate and key file!
7 Restart the Grafana service and voala!
The important parameters in CSR are:
CN
FQDN
DNS name
IP
These parameters are minimum!

Now for LDAPS!!!
1 Define ldap user in the Active directory!
2 Define ldap search filters
3 Add users in the GrafanaUserGroup!
4 In ldap config of grafana change port to 636!
5 enable use ssl!
6 enable ssl check!
7 Forget about client certificates, client keys and ca root certificates!!!
By default Grafana windows version understand from Local Microsoft Certificate store!!!

If the server is joined to the Domain controller, the server receive his root ca certificate, and his own server certificate is automatically signed by the Ca server during joining to the domain.
I am no sure exactly how it works, but all needed certificates are in local Microsoft Certificate Store of the Grfana Microsoft Server!!!
Just ignore configuration regarding certificates with #

I am so excited and happy!

I checked communication with Wireshark:
tcp.port eq 636
And I prove it with Wireshark!

Best Regards!!!

Thank you for the help :slight_smile: