How to force Grafana Cloud server to use ssl client certs when making postgres connection

sconradjohnson · June 21, 2019, 5:20pm

I am trying to migrate from a local grafana server instance running on my laptop, to a Grafana Cloud server instance.

My (remote) postgres server requires that clients connect with ssl certs, not username/password. On my local Grafana server, I set sslmode = ‘require’, and pass the paths to my client ssl cert and key in env variables or .ini file. Grafana has no difficulty connecting and making queries to my postgres db.

HOWEVER, when I set up my Grafana Cloud instance, I know of no way to pass the Grafana Cloud server instance my client ssl cert and key. So when I attempt to configure postgres, I receive the following error:
‘pq: connection requires a valid client certificate’

Is there a mechanism for doing this? Any help would be appreciated.

Thanks,
Scott

abishop · July 17, 2019, 12:47pm

Just out of curiosity what env variables and what .ini configuration did you have set to connect to your psql instance?

danielmarell · August 11, 2019, 1:38pm

I have the same question. I have a Postgres Cloud SQL instance running i Google Cloud, it requires clients to connect using SSL.

Connections are working from Intellij by supplying these properties:

ssl: true
sslmode: require
sslcert: .../client-cert.pem
sslkey: .../client-key.pk8
sslrootcert: .../server-ca.pem

In my hosted Grafana server config I can find where to specify sslmode but I cannot find where to specify sslcert, sslkey and sslrootcert.

(BTW, I had to convert the private key in order to make it work: openssl pkcs8 -topk8 -inform PEM -outform DER -in client-cert.pem -out client-cert.pk8 -nocrypt)

abishop · August 13, 2019, 1:10pm

I recently came across the following two links:

Hasn’t helped just yet. However, it should give you an understanding on how to apply the ssl certs to the datasource configuration.

sconradjohnson · August 19, 2019, 2:15am

Thank you for replying.

I am able to easily run Grafana on my laptop, and have no problems accessing my (internet-accessible) PostgreSQL DB, using SSL.
I gave up on Grafana Cloud in June. I thought I would try it once again this weekend, before turning to other online services. Once again, the Grafana Cloud offering has disappointed and frustrated me.

WRT using yaml to provision PostgreSQL connectivity, Grafana Cloud does not permit me to submit a yaml file (other than by contacting support, which to me is a non-starter for a web service).

I have resorted to using the API to update my PostgreSQL datasource configuration. After a couple of hours, I was able to GET and PUT my PostgreSQL configuration, by translating the datasource provisioning yaml into JSON.

I am able to successfully change parameters as expected, although I am unable to confirm that my keys (passed in secureJSON) were received correctly, as the secureJSON is (correctly) never returned. And despite using the same PostgreSQL certs for my local Grafana instance as well as for dBeaver, Grafana Cloud still fails to connect with my PostgreSQL DB with: ‘pq: connection requires a valid client certificate’

Thanks for your help!

vrajesh0306 · October 10, 2019, 6:08am

I am also facing the same error "
pq: connection requires a valid client certificate" while trying to configure SSL connection in (custom.ini) Grafana to Postgresql in windows 10.

Please find the below parameters which i have enabled in the custom.ini file.

Protocol (http, https, h2, socket)

protocol = http

The ip address to bind to, empty will bind to all interfaces

;http_addr =

The http port to use

http_port = 3000

The public facing domain name used to access grafana from a browser

;domain = localhost

Redirect to correct domain if host header does not match domain

Prevents DNS rebinding attacks

;enforce_domain = false

The full public facing url you use in browser, used for redirects and emails

If you use reverse proxy and sub path specify full url (with sub path)

root_url = http://grafana.staged-by-discourse.com

Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.

;serve_from_sub_path = false

Log web requests

;router_logging = true

the path relative working path

;static_root_path = public

enable gzip

;enable_gzip = false

https certs & key file

cert_file = D:\IDM TEAM 2\drivers\postgresql.crt
cert_key = D:\IDM TEAM 2\drivers\postgresql.pk8

Unix socket path

;socket =

#################################### Database ####################################
[database]

You can configure the database connection by specifying type, host, name, user and password

as separate properties or as on string using the url properties.

Either “mysql”, “postgres” or “sqlite3”, it’s your choice

;type = sqlite3
host = 152.81.32.24:30120
name = telecomdb
user = fet_user

If the password contains # or ; you have to wrap it with triple quotes. Ex “”"#password;"""

password = P@ssw0rd

Use either URL or the previous fields to configure the database

Example: mysql://user:secret@host:port/database

;url =

For “postgres” only, either “disable”, “require” or “verify-full”

ssl_mode = require

can anyone please tell me what parameters should i take care to overcome this issue?

keroro520 · March 3, 2021, 10:54am

The same issue to me.
How to connect a Postgres instance with SSL?