X509: certificate signed by unknown authority

I am configuring oAuth in grafana with Github. I am able to login but getting below error.
2018-03-21T20:37:59.386274782Z t=2018-03-21T20:37:59+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“Post https://github.nml.com/login/oauth/access_token: x509: certificate signed by unknown authority”

(upload://x7lEztyZFzqfh2Bpz0FE7nBh2O1.PNG)githubOAuthapp

You should not post your client secret on a public forum. Removing the image now to protect you.

I see you are using the skip_verify setting. Does that mean you have a self signed cert? I don’t think that will work.

Found this in the GitHub FAQ:

https://help.github.com/enterprise/2.2/admin/articles/troubleshooting-ssl-errors/#installing-self-signed-or-untrusted-certificate-authority-ca-root-certificates

Hi daniellee,

Thanks for the reply. Actually I do have the CA root certificate file (.pem) but I am not able to understand where should I put it or what exactly should be done to get this issue resolved.
Ours is an onprem github server with proper CA certificates installed in it.

Do you know if GitHub Enterprise requires that the callback is https?

If you need to install a cert then you can either do it on the server where Grafana is installed or use the Grafana tls support :

http://docs.grafana.org/installation/configuration/#cert-key

cert_file = /usr/share/grafana/conf/server.crt
cert_key = /usr/share/grafana/conf/server.key

Location of your CA certificates depends on your OS. For example:

/etc/ssl/certs/ca-certificates.crt                  // Debian/Ubuntu/Gentoo etc.
/etc/pki/tls/certs/ca-bundle.crt                    // Fedora/RHEL 6
/etc/ssl/ca-bundle.pem                              // OpenSUSE
/etc/pki/tls/cacert.pem                             // OpenELEC
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem   // CentOS/RHEL 7

You may need to add your CA to existing standard CA certificates. Also you may need to convert pem to crt. Example of these tasks for Ubuntu - https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

1 Like

Thanks Jan Garaj.

That really worked fixing my issue on Docker container even.

The same issue. I try to use grafana-cli to install a plugin.
I try it with --insecure flag, error changed, but still can’t install it.

Without --insecure
image

With it:
image

You didn’t provide any details about your setup so have to guess what the problem is.

The grafana cert is from Comodo which is a trusted Certificate Authority so the problem is either:

  • that your Operating System needs to have its certificates updated. (try updating/installing certificate(s) on your system. For example on FreeBSD, use pkg install ca_root_nss , or on ubuntu update-ca-certificates)
  • You are behind a proxy or firewall. If you are on an OS with curl installed, does this return TLS errors too?
    curl -v https://grafana.com/api/plugins/ryantxu-ajax-panel/versions/0.0.6/download
  • Or are you using a self-signed cert with GitHub Enterprise?

Yes, sorry, I forgot about details)
We use self-signed cert because of DLP security system (it uses mitm cert replacement)

curl:
* About to connect() to grafana.com port 443 (#0)
* Trying 35.241.23.245…
* Connected to grafana.com (35.241.23.245) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=grafana.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
* start date: Feb 06 00:00:00 2019 GMT
* expire date: May 06 23:59:59 2020 GMT
* common name: grafana.com
* issuer: CN=xCA,DC=x,DC=x
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer’s certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

How do you usually do to access the internet?

If you can’t fix your certificates then you can download the plugin manually (https://grafana.com/api/plugins/ryantxu-ajax-panel/versions/0.0.6/download) and unpack it into your grafana plugins directory.