I am configuring oAuth in grafana with Github. I am able to login but getting below error.
2018-03-21T20:37:59.386274782Z t=2018-03-21T20:37:59+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“Post https://github.nml.com/login/oauth/access_token: x509: certificate signed by unknown authority”
(upload://x7lEztyZFzqfh2Bpz0FE7nBh2O1.PNG)
You should not post your client secret on a public forum. Removing the image now to protect you.
I see you are using the skip_verify setting. Does that mean you have a self signed cert? I don’t think that will work.
Found this in the GitHub FAQ:
Hi daniellee,
Thanks for the reply. Actually I do have the CA root certificate file (.pem) but I am not able to understand where should I put it or what exactly should be done to get this issue resolved.
Ours is an onprem github server with proper CA certificates installed in it.
Do you know if GitHub Enterprise requires that the callback is https?
If you need to install a cert then you can either do it on the server where Grafana is installed or use the Grafana tls support :
http://docs.grafana.org/installation/configuration/#cert-key
cert_file = /usr/share/grafana/conf/server.crt
cert_key = /usr/share/grafana/conf/server.key
Location of your CA certificates depends on your OS. For example:
/etc/ssl/certs/ca-certificates.crt // Debian/Ubuntu/Gentoo etc.
/etc/pki/tls/certs/ca-bundle.crt // Fedora/RHEL 6
/etc/ssl/ca-bundle.pem // OpenSUSE
/etc/pki/tls/cacert.pem // OpenELEC
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem // CentOS/RHEL 7
You may need to add your CA to existing standard CA certificates. Also you may need to convert pem to crt. Example of these tasks for Ubuntu - https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate
Thanks Jan Garaj.
That really worked fixing my issue on Docker container even.
The same issue. I try to use grafana-cli to install a plugin.
I try it with --insecure flag, error changed, but still can’t install it.
Without --insecure
With it:
You didn’t provide any details about your setup so have to guess what the problem is.
The grafana cert is from Comodo which is a trusted Certificate Authority so the problem is either:
pkg install ca_root_nss , or on ubuntu update-ca-certificates)curl -v https://grafana.com/api/plugins/ryantxu-ajax-panel/versions/0.0.6/download
Yes, sorry, I forgot about details)
We use self-signed cert because of DLP security system (it uses mitm cert replacement)
curl:
* About to connect() to grafana.com port 443 (#0)
* Trying 35.241.23.245…
* Connected to grafana.com (35.241.23.245) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=grafana.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
* start date: Feb 06 00:00:00 2019 GMT
* expire date: May 06 23:59:59 2020 GMT
* common name: grafana.com
* issuer: CN=xCA,DC=x,DC=x
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer’s certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
How do you usually do to access the internet?
If you can’t fix your certificates then you can download the plugin manually (https://grafana.com/api/plugins/ryantxu-ajax-panel/versions/0.0.6/download) and unpack it into your grafana plugins directory.
for me, remove below works
server_url =
callback_url =