Tls: failed to verify certificate: x509: certificate signed by unknown authority

citsureshkumar · February 12, 2025, 5:26am

What Grafana version and what operating system are you using? RHEL8 and the Grafana version is 9.5.2
What are you trying to achieve? - Trying to connect to Azure Monitor from on-premise Grafana
How are you trying to achieve it? From Grafana Dashboards
What happened? - We can add the Datasource, but when we try to test it , it fails with below error… 2. Error connecting to Azure Log Analytics endpoint: health check failed: Post “https://api.loganalytics.io/v1/workspaces/xxxxxxxx/query”: tls: failed to verify certificate: x509: certificate signed by unknown authority
What did you expect to happen? - Successful connection without Errors
Can you copy/paste the configuration(s) that you are having problems with? - Please help us on how to add the cacerts to the Grafana configuration or how to Skip the tls verification?
Tried mutiple options by adding the required certs to the trusts.crt file, used tls_insecure_skip_verify=true , root_ca_cert,ca_cert parameter. none of them are taken as truststore in the defaults.ini file?
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were. - in the grafana console
Did you follow any online instructions? If so, what is the URL? there is no concrete information provided in the URL we gone through on where and what to add to skip the SSL verification or what parameter to add for the cacerts addition to the defaults.ini file

jangaraj · February 12, 2025, 9:48am

You need to update CA certificates in your OS. Check your OS for more detaild.
BTW: RHEL8 has reached end of life, so you may have a problem with that.

citsureshkumar · February 12, 2025, 12:35pm

Thank you @jangaraj and is there an option to use in grafana(defaults.ini file) the Customized Trust Store instead of system wide? Like how we have for LDAP connectivity( in ldap.toml) file?

jangaraj · February 12, 2025, 12:43pm

No, Grafana is Golang app, so ask how golang can use “trust store”.

Golang on linux - The Go Programming Language is trying to find “trust store” in this order:

// Possible certificate files; stop after finding one.
var certFiles = []string{
	"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
	"/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
	"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
	"/etc/pki/tls/cacert.pem",                           // OpenELEC
	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
	"/etc/ssl/cert.pem",                                 // Alpine Linux
}


// Possible directories with certificate files; all will be read.
var certDirectories = []string{
	"/etc/ssl/certs",     // SLES10/SLES11, https://golang.org/issue/12139
	"/etc/pki/tls/certs", // Fedora/RHEL
}

So use that to “hack” it.

citsureshkumar · February 12, 2025, 1:16pm

Oh got it… this is great information… thanks a lot @jangaraj

Topic		Replies	Views
X509: certificate signed by unknown authority with autentication by keycloak Authentication auth , oauth	10	18159	October 21, 2022
Tls: failed to verify certificate: x509 Grafana api , plugins	7	5469	April 11, 2024
X509: certificate signed by unknown authority	11	31145	May 11, 2022
Grafana connection with Elasticsearch basic auth fail Proxy request failed" err="x509: certificate signed by unknown authority" Configuration elasticsearch	0	901	February 1, 2023
Datasource TLS verification in v.4.6.2 (bug?) + datasource API setup (question) Grafana	4	4506	March 14, 2019

Tls: failed to verify certificate: x509: certificate signed by unknown authority

Related topics