Remote error: tls: handshake failure

Grafana
1

hi.
I’m using Infinity plugin; I have a URL that I’m getting the error above when I’m trying to reach into.

with CURL command from the grafana ubuntu server - I’m getting the correct result (also getting “SSL certificate verify ok.”)
only from the plugin i’m getting

remote error: tls: handshake failure

image
image805×96 7.49 KB

grafana server: Grafana v11.0.1
plugin version: 2.95

any ideas please ?

2

Hello @dkobi84

It could be because you played with the SSL/TLS configuration on your Grafana server.
A quick workarround would be to manually add the remote TLS cert in a file and update the SSL/TLS conf of your Grafana.

You can check the TLS cert using:

openssl s_client -connect `your_server_with_port`
# not needed but if you only want to see the cert add " | openssl x509"

If you copy it manually, you must also select the --BEGIN--- and --END-- part as the cert.

Then something like:

mkdir /etc/grafana/certs
cp /path/to/infinity-ca.cert /etc/grafana/certs/

In the Grafana.ini, in the [server] parameter, uncomment the cert_file option and add the etc path.

Be aware, if I remember correctly, if no cert_file provided Grafana uses the system one, if you change that, you’ll basically block Grafana to only have one certificate.
So another workaround would be to fully update your system certificates. But since I don’t know what you have play with this carefully.

cp /path/to/infinity-ca.cert /usr/local/share/ca-certificates/custom-ca.crt
update-ca-certificates

Then in both case, restart the Grafana instance.

Let me know how it goes!

3

i already add the remote cert to the grafana server
so unfortunately, it did not solve my issue.
also, you can see the output for the curl

image
image736×236 8.26 KB

there is no issue with the certificate

4

I didn’t know you had already added the cert, this is weird…
How did you install the plugin?

5 
grafana-cli plugins install yesoreyeram-infinity-datasource
6

Did you restart the instance after that?

7

yes,
still the same behavior

8

How is Grafana installed/deployed? What’s OS version? Do you have CA and Intermediate CAs in pem format? Provide full formatted text (not image) output from curl -v ... pls

9

curl -v --location ‘https://XXXX:5392/versions’ | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0* Trying 1.2.3.4:5392…

  • Connected to XXXX (1.2.3.4) port 5392 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
    { [5 bytes data]
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [49 bytes data]
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
    { [5 bytes data]
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [2662 bytes data]
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
    { [5 bytes data]
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    { [1039 bytes data]
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
    { [5 bytes data]
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
    { [4 bytes data]
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    } [390 bytes data]
  • TLSv1.2 (OUT), TLS header, Finished (20):
    } [5 bytes data]
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
    } [16 bytes data]
  • TLSv1.2 (IN), TLS header, Finished (20):
    { [5 bytes data]
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
    { [5 bytes data]
  • TLSv1.2 (IN), TLS handshake, Finished (20):
    { [16 bytes data]
  • SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: --------
  • start date: Oct 10 11:52:39 2021 GMT
  • expire date: Oct 9 11:52:39 2026 GMT
  • subjectAltName: host “XXXX” matched cert’s “XXXX”
  • issuer: --------
  • SSL certificate verify ok.
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
    } [5 bytes data]

GET /versions HTTP/1.1
Host: XXXX:5392
User-Agent: curl/7.81.0
Accept: /

  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    { [5 bytes data]
  • Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Connection: Keep-Alive
    < Content-Type: application/json;charset=utf-8
    < Date: Thu, 08 Aug 2024 06:30:40 GMT
    < nimble-Large-Object: false
    < Transfer-Encoding: chunked
    <
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    { [5 bytes data]
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    { [5 bytes data]
    100 106 0 106 0 0 1383 0 --:–:-- --:–:-- --:–:-- 1394
  • Connection #0 to host XXXX left intact
    {
    “data”: [
    {
    “name”: “v1”,
    “software_version”: “---------”
    }
    ],
    “startRow”: 0,
    “endRow”: 1,
    “totalRows”: 1
    }
10

grafana installed directly on Ubuntu 22.04.4