Hello all, I am faced with issues with LDAPS and HTTPS.
Firstly I will give you more details about my environment:
I use Microsoft Windows Server 2019 and Grafana Version v7.4.0 Windows version, open-source edition
My Microsoft Windows Server 2019 is joined to the domain controller.
And the Grafana server is installed in Microsoft Windows Server 2019.
If I understand correctly Grafana standalone doesnât support HTTPS and needs from a proxy server?
In Linux this job could be done with an apache2 server as a proxy server?
Do you have a solution under Microsoft how could we solve this HTTPS issue?
With stunnel in two sides in the Microsoft Windows Server 2019 and in the Domain controller?
I want to use a signed certificate for the HTTPS from Microsoft Ca server is it possible to do it?
And itâs not acceptable to install in domain controller third-party applicationâŚ
And for LDAPS need Lnux version of Gafana under Linux and little system modification to implement LDAPS?
I found this in my research but itâs old from 2015.
Someone solve this issue with little system modification:
But we are with Microsoft version of Grafana ⌠is it possible to run ldaps between Windows Version of Grafana and Microsoft DC controller with Active Directory using a certificate signed from Microsoft CA server?
Please could you share your opinion, proposal, experience regarding the topic?
Thank you in advance for your feedback.
I remain at your disposal.
Best regards.
Hello Melrose,
Thank you for joining to the discussion.
First, is it possible or not with Microsoft OS to achieve HTTPS and LDAPS goals by using certificates signed by Microsoft CA server?
If I should migrate to LInux could you confirm in 100% in Linux I can implement HTTPS and LDAPS successfully with signed certificates from Microsoft CA server?
I will use Grafana server in an internal network without an internet connection under the Microsoft environment.
Cert/key must be in the PEM format and in the file - so donât expect any Windows native integration - just export them to the file in the correct PEM format and thatâs it.
Of course thatâs not stopping you to use any reverse proxy, which supports SSL offloading in front of Grafana. It can be even better if it has native Windows cert store integration, so you wonât need export certs/keys to pem files. Also you need reverse proxy if you want to customize TLS - e.g. allowed ciphers, cipher order preference, TLS versions, ⌠because thatâs not customizable in the Grafana.
2.) LDAPS
Again, it just be configuration, use_ssl=true, eventually root_ca_cert if ca cert is not available in the system cert store:
Problems debugging: standard - just increase log levels and check the logs and based on the details from the logs tweak Grafana configuration.
You confirm that itâs possible to use Windows version of Grafana with HTTPS and LDAPS under Microsoft environment?
Could you tell me more about certificates?
I see Ca certificate and personal certificate in the Windows Server 2019.
I can export them in .cer format using der and base64 format 509x.
I tried but I receives errors, I am sure I donât use the right format of the certificates.
This is regarding LDAPS.
Regarding the WEB and HTTPS I tried https protocol, port 3000, and certificate signed from CA for the machine in the same format as for LDAPSâŚ
protocol,cert_file,cert_key
Protocol is clear.
Cert file is clear (maybe my format is wrong itâs native Microsoft format)âŚ
Cert key - I donât have cert key file how to generate it?
I tried HTTPS, yes itâs work with ssl certificate generated by public certificate authority in format crt and key.
How I can implement ssl with Microsoft certificates?
And how to export them in crt and key format?
Usually when export them they are coming in cer format without key
You are really on the wrong forum if you are asking here how to get PEM server certificate (itâs not client/personal certificate!) format from the Windows Server 2019. PEM format is required for the Grafana and you should to check used system/documentation how you can you obtain if from the system, which you are using. Google is always good starting point to find answer - Let Me Google That
HTTPS is okay I implemented it successfully.
But please could you help me with LDAPS?
t=2021-03-09T23:18:13+0100 lvl=eror msg=âFailed to obtain the LDAP configuration. Please verify the configuration and try againâ logger=context userId=1 orgId=1 uname=admin error=âFailed to load LDAP config file: Near line 21 (last key parsed âservers.root_ca_certâ): invalid escape character âPâ; only the following escape characters are allowed: \b, \t, \n, \f, \r, \â, \\, \uXXXX, and \UXXXXXXXX" remote_addr=192.168.0.20
My configuration:
[[servers]]
Ldap server host (specify multiple hosts space separated)
host = â192.168.0.100â
Default port is 389 or 636 if use_ssl = true
#port = 389
port = 636
Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
#use_ssl = false
use_ssl = true
If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false #start_tls = true
set to true if you want to skip ssl cert validation
#ssl_skip_verify = true
ssl_skip_verify = false
set to the path to your root CA certificate or leave unset to use system defaults
I generated csr for sldap first from Linux with OpenSSL.
I signed it with SSL template from MS CA server using power shell and cmd.
I converted the signed certificate to .pem with OpenSSL under Linux.
In the end I change the file form pem to crt.
But without success.
I exported in DER 509x root ca certificate from server with grafana and I converted it to pem and then renamed it to crt.
But without success.
I tried and with default .pem the same error.
Please spend a minute and learn how to format code in your posts (itâs simple markdown). Make it easy to read for users, pls.
You have error, line of the config where is the error, so you know whatâs wrong (sorry I didnât spend my time yo see whatâs wrong due to terrivle formatting .
I donât understand why you need csr. You are not creating ldaps, you are connecting to existing ldaps - generally to some tls endpoint, so you need only ca certs usually on the client(Grafana) side. You need client cert/key only if LDAPS requires client certificate (mutual tls/mtls/client tls). I would recommend to spend a few minutes on TLS concept to have understanding of the topic and terms.
This is my first error:
âFailed to load LDAP config file: Near line 21 (last key parsed âservers.root_ca_certâ): invalid escape character âPâ; only the following escape characters are allowed: \b, \t, \n, \f, \r, \â, \, \uXXXX, and \UXXXXXXXX" remote_addr=192.168.0.20"
I tried to skip client certificates.
And in my config file I tried to use only CA certificate.
But the Grafana config file canât read itâŚ
I exported CA certificate from the Grafana Windows Server machine from his local certificate store from trusted certificate folder.
I tried with crt, cer, and pem without successâŚ
I tried and export from Windows server machine,
Moving the exported CA certificate to other Linux host and to convert it to pem format using OpenSSL but doesnât helpâŚ
Please could you give me guidance?
The scenario is:
Microsoft Server 2019 with Grafana want to talk LDAPS with DC01 using CA certificate from CA01 server.
I want to tell you that I successfully implement HTTPS and LDAPS!
From Microsoft version of Grafana under Microsoft Server OS!
HTTPS:
The solution is:
1 Generate CSR under Lnux OS using Open SSL and transfer private key to the Grafana server.
2 Transfer CSR file to CA server and sign it with CA server using web server template using power shell and cmd!
Please read here for more details:
3 Transfer it signed to Linus OS and with Open SSL convert it in PEM!
4 Rename it to .crt
5 Transfer it to the Grafana server!
6 In config file of Grafana change HTTP port to HTTPS!
Change port to 443!
Unblock in Microsoft Firewall port 443!
Enable certificate options and define the paths to the certificate and key file!
7 Restart the Grafana service and voala!
The important parameters in CSR are:
CN
FQDN
DNS name
IP
These parameters are minimum!
Now for LDAPS!!!
1 Define ldap user in the Active directory!
2 Define ldap search filters
3 Add users in the GrafanaUserGroup!
4 In ldap config of grafana change port to 636!
5 enable use ssl!
6 enable ssl check!
7 Forget about client certificates, client keys and ca root certificates!!!
By default Grafana windows version understand from Local Microsoft Certificate store!!!
If the server is joined to the Domain controller, the server receive his root ca certificate, and his own server certificate is automatically signed by the Ca server during joining to the domain.
I am no sure exactly how it works, but all needed certificates are in local Microsoft Certificate Store of the Grfana Microsoft Server!!!
Just ignore configuration regarding certificates with #
I am so excited and happy!
I checked communication with Wireshark:
tcp.port eq 636
And I prove it with Wireshark!
