Grafana with https - Cannot find SSL cert_file

stwendt · December 9, 2019, 9:44am

I’m running Grafana in a Docker container on my NAS. Everything is fine when using http. However I fail to start the container when I setup Grafana for https, as the Certificate file can’t be found according to the Docker log.

I create a self-certificate using OpenSSL in order to use Grafana with https. I modified the docker script to overwrite the enviroment Server section for https and defined the path for the cert and key file.

  INFO[12-08|12:28:50] Config overridden from Environment variable logger=settings var="GF_SERVER_PROTOCOL=https"
  INFO[12-08|12:28:50] Config overridden from Environment variable logger=settings var="GF_SERVER_CERT_FILE=/share/CACHEDEV2_DATA/Container/grafana/config/ssl/grafana.crt"
  INFO[12-08|12:28:50] Config overridden from Environment variable logger=settings var="GF_SERVER_CERT_KEY=/share/CACHEDEV2_DATA/Container/grafana/config/ssl/grafana.key"

As far as I can see, this seems to be fine, however for unknown reason the cert-file isn’t found, even it is available in the defined path.

INFO[12-08|12:28:50] HTTP Server Listen                       logger=http.server address=0.0.0.0:3000 protocol=https subUrl= socket=
EROR[12-08|12:28:50] Stopped HTTPServer                       logger=server reason="Cannot find SSL cert_file at /share/CACHEDEV2_DATA/Container/grafana/config/ssl/grafana.crt"

When I check the path I see it is valid

[/share/CACHEDEV2_DATA/Container/grafana] # ls -l /share/CACHEDEV2_DATA/Container/grafana/config/ssl/grafana.crt
-rw-r--r-- 1 admin administrators 1228 2019-12-08 10:55 /share/CACHEDEV2_DATA/Container/grafana/config/ssl/grafana.crt

Any idea what could be the reason for this? Could the Certificate be invalid and the error message is just misleading?

Many thanks for a hint

Stefan

javiergonzalezlongor · December 3, 2024, 11:45am

It’s have been a while since you asked but if for some reason someone get to this post the matter is the certs file paths. You need to place the certs files somewhere the inner container user can access to it for example: /etc/ssl. I previously copied the letsencrypt certs into a /certs folder inside letsencrypt grafana site directory

  grafana:
    image: grafana/grafana
    container_name: grafana
    environment:
      GF_SECURITY_ADMIN_USER: ${GRAFANA_USER}
      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_PASSWORD}
      GF_SERVER_HTTP_PORT: 443
      GF_SERVER_PROTOCOL: https
      GF_SERVER_ROOT_URL: https://grafana.mydomain.com/
      GF_SERVER_CERT_FILE: /etc/ssl/grafana.crt
      GF_SERVER_CERT_KEY: /etc/ssl/grafana.key
    user: '0'
    ports:
      - "443:443"
    volumes:
      - grafana_data:/var/lib/grafana
      - /etc/letsencrypt/live/grafana.mydomain.com/certs:/etc/ssl
    restart: unless-stopped
    networks:
      - mynetwork

It’s important that yo specify user: ‘0’ cause grafana user has no permission to access /etc/ssl

jangaraj · December 3, 2024, 12:05pm

Yeah, but you just sacrified some security. You made container where app is running under root (user id 0), fromby default secure rootless container. Make sure you understand the consequences and accept risk from this change. I wouldn’t recommended it generally.

Topic		Replies	Views
SSL setup for Grafana in Docker Configuration docker , ssl	11	5132	March 2, 2024
Troubleshoot HTTPS not working over docker container Grafana 11 Configuration docker	3	398	June 21, 2024
Grafana not providing certificate but a ERR_SSL_PROTOCOL_ERROR Configuration docker , windows	2	3270	May 3, 2022
Certificate error with renderer docker image and https Installation docker , image-renderer	21	5527	July 1, 2023
Grafana + Docker + Let's Encrypt Grafana	3	2533	November 17, 2017

Grafana with https - Cannot find SSL cert_file

Related topics