SSL/TSL cert permission denied when files not in /etc/grafana


I am using LetsEncrypt’s certbot to auto-renew SSL/TSL certs every 3 months on an Ubuntu machine.

The cert works fine if I place the *.pem files into /etc/grafana and change the grafana.ini file to point to that location.

However, if the *.pem files are left in /etc/letsencrypt/live/<my-domain> then Grafana fails to start with the following appearing in grafana.log:

t=2021-12-13T09:28:35+0100 lvl=eror msg="Stopped HTTPServer" logger=server reason="open /etc/letsencrypt/live/<my-domain>/fullchain.pem: permission denied"
t=2021-12-13T09:28:35+0100 lvl=eror msg="Server shutdown" logger=server error="HTTPServer run error: open /etc/letsencrypt/live/<my-domain>/fullchain.pem: permission denied"

I’ve tried everything I can think of, and have even set the permissions for both the /etc/letsencrypt/live/<my-domain> folder and pem files to drwxrwxrwx for all users (chmod a+rwx)

It’s important to me that I can specify that location for Grafana to read from so that I don’t need to copy the files over every time the SSL / TSL certs auto-renew every 3 months.

Why can Grafana not access those pem files in that location?


are you serving Grafana behind a reverse proxy like nginx?

Hi matt, yes I am using a reverse proxy…

Are you running 8.3.5+? If so, you might need to add a new header to your config. This was noted in the changelog but it was buried: