SSL for Grafana error: tls: first record does not look like a TLS handshake

#1

Im trying to secure Grafana using SSL and have used a self signed certificate using this link: https://www.akadia.com/services/ssh_test_certificate.html
However i am getting site cannot be reached error when going to https://<myinternalhostname.com>.

These are the things ive added to the /etc/grafana/grafana.ini
[server]
protocol = https
cert_file = /usr/sbin/server.crt
cert_key = /usr/sbin/server.key

when doing sysemctl status grafana-server i get the message
TLS handshake error from 127.0.0.1:48610: tls: first record does not look like a TLS handshake

#2

The config looks correct, all you should need are those 3 settings.

Have you verified your cert and checked your key? You can also check that the md5’s of the cert and key match.

openssl req -text -noout -verify -in server.csr
openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text -noout
openssl verify /etc/ssl/certs/ssl-cert-snakeoil.pem
openssl rsa -in /your/path/your.key -check 

Check that the MD5’s match:

openssl x509 -noout -modulus -in selfsignedcert.pem| openssl md5
openssl rsa -noout -modulus -in selfsignedkey.key| openssl md5

You can also quickly create a self-signed cert to test using this (shorter version than in the article you linked to that doesn’t create a csr):

openssl req -x509 -newkey rsa:4096 -keyout key.key -out cert.pem -days 365

Then remove the password:

openssl rsa -in selfsignedkeywithpass.key -out selfsignedkey.key
#3

no luck, verified the certs are correct but still getting the same error

#4

Did you try creating a self signed cert without the CSR?

#5

yes, i used the commands that you posted. i have noticed that the port number on 127.0.0.1:48610 keeps changing

#6

That sounds very strange. Why is the port number changing? What do you have configured in your ini file? The default is 3000.

I tested a self-signed cert locally while answering this topic and it worked for me. The error message you are getting is the same as when you try to visit http instead of https. So if the port is wrong that might explain it.

#7

Was this issue resolved?
I am getting a similar error with changing port numbers.

#8

@daniellee Even I am getting the same error when I try to use https with a self-singed cert created by openssl. Please help!

Thanks.

#9

Can you give some more details? What does your config file look like? Have you verified your cert (like described above)?

#10

I have generated a self-signed certificate using opeenssl just to check how https works with grafana. Answer for your question is No, I am not using a verified certificate.

and my config is as follows ;

[server]

protocol = https
cert_file = $GRAFANA_HOME/server.crt
cert_key = $GRAFANA_HOME/server.key

When using http all the connections are working perfectly.

The error looks like this, my assumption is the reason to this is a problem with cert file since it is a self-signed one.

As i have understand this IP is from sqlite server. and it is using http to connect. So is tries to reconnect by changing the pot.

image

PS : I am using my own auth server for authentications.