SSL for Grafana error: tls: first record does not look like a TLS handshake

phoenix123 · July 6, 2017, 1:26pm

Im trying to secure Grafana using SSL and have used a self signed certificate using this link: https://www.akadia.com/services/ssh_test_certificate.html
However i am getting site cannot be reached error when going to https://<myinternalhostname.com>.

These are the things ive added to the /etc/grafana/grafana.ini
[server]
protocol = https
cert_file = /usr/sbin/server.crt
cert_key = /usr/sbin/server.key

when doing sysemctl status grafana-server i get the message
TLS handshake error from 127.0.0.1:48610: tls: first record does not look like a TLS handshake

daniellee · July 7, 2017, 9:56am

The config looks correct, all you should need are those 3 settings.

Have you verified your cert and checked your key? You can also check that the md5’s of the cert and key match.

openssl req -text -noout -verify -in server.csr

openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text -noout
openssl verify /etc/ssl/certs/ssl-cert-snakeoil.pem

openssl rsa -in /your/path/your.key -check

Check that the MD5’s match:

openssl x509 -noout -modulus -in selfsignedcert.pem| openssl md5
openssl rsa -noout -modulus -in selfsignedkey.key| openssl md5

You can also quickly create a self-signed cert to test using this (shorter version than in the article you linked to that doesn’t create a csr):

openssl req -x509 -newkey rsa:4096 -keyout key.key -out cert.pem -days 365

Then remove the password:

openssl rsa -in selfsignedkeywithpass.key -out selfsignedkey.key

phoenix123 · July 7, 2017, 10:30am

no luck, verified the certs are correct but still getting the same error

daniellee · July 7, 2017, 10:53am

Did you try creating a self signed cert without the CSR?

phoenix123 · July 7, 2017, 11:19am

yes, i used the commands that you posted. i have noticed that the port number on 127.0.0.1:48610 keeps changing

daniellee · July 7, 2017, 11:20am

That sounds very strange. Why is the port number changing? What do you have configured in your ini file? The default is 3000.

I tested a self-signed cert locally while answering this topic and it worked for me. The error message you are getting is the same as when you try to visit http instead of https. So if the port is wrong that might explain it.

garryrobertson · November 30, 2018, 7:47am

Was this issue resolved?
I am getting a similar error with changing port numbers.

kemix · May 13, 2019, 11:05am

@daniellee Even I am getting the same error when I try to use https with a self-singed cert created by openssl. Please help!

Thanks.

daniellee · May 14, 2019, 1:05pm

Can you give some more details? What does your config file look like? Have you verified your cert (like described above)?

kemix · May 15, 2019, 7:07am

I have generated a self-signed certificate using opeenssl just to check how https works with grafana. Answer for your question is No, I am not using a verified certificate.

and my config is as follows ;

[server]

protocol = https
cert_file = $GRAFANA_HOME/server.crt
cert_key = $GRAFANA_HOME/server.key

When using http all the connections are working perfectly.

The error looks like this, my assumption is the reason to this is a problem with cert file since it is a self-signed one.

As i have understand this IP is from sqlite server. and it is using http to connect. So is tries to reconnect by changing the pot.

PS : I am using my own auth server for authentications.

daniellee · May 24, 2019, 8:03am

Did you try using an absolute path instead of $GRAFANA_HOME?
By verifying, I mean verifying that the files are valid see my previous answers on this thread. As you didn’t follow the steps I outlined above (you would have a PEM file and not a crt file if you had), I’m not sure if you created them correctly.
What is 127.0.0.1:57415? Is that your auth server?

eduardogodinho · May 30, 2019, 1:36pm

I followed this brazilian tutorial and I’m having the same problem as decribed on this topic. After running grafana, it keeps spamming “TLS handshake error from 127.0.0.1:48610: tls: first record does not look like a TLS handshake” on console, with different ports.

The app runs correctly on browser, even though that it gives the warning of insecure connection and “NET::ERR_CERT_AUTHORITY_INVALID”.
The problem might be that the certificate is self-signed and not trusted right?

kemix · June 3, 2019, 3:44am

I did followed your above mentioned steps correctly. By doing a simple i found that this error occurs when your client tries to connect to http while your server is https. So i have to change that into support https.

wutingbupt · July 14, 2020, 7:51am

Hi @daniellee, do you have any update for this issue? We have the similar issue also.

Br,
Tim

msaeed1 · May 9, 2024, 5:36pm

I am getting the same error now. was there any workaround for it

Topic		Replies	Views
TLS Handshake error Configuration	0	993	November 30, 2018
Remote error: tls: handshake failure Grafana plugins	9	2738	August 8, 2024
/etc/ssl/private/grafana.key: permission denied Authentication	2	6115	August 18, 2024
How configure SSL connection to MySQL with TLSv1.2? Grafana datasource , mariadb	3	1014	April 9, 2024
Grafana/SSL/FQDN Configuration	1	762	May 23, 2023

SSL for Grafana error: tls: first record does not look like a TLS handshake

Related topics