When accessing the Grafana UI through the web, it is important to set up HTTPS to ensure the communication between Grafana and the end user is encrypted.
In this article, we will look into:
Obtain a certificate and key
Configure Grafana HTTPS
Restart the Grafana server
- For the CA-signed certificate, you need a domain name that you possess and that is associated with the machine you are using, for this article, we will be using a self-signed certificate and then we will obtain a certificate from lets-encrypt.
Obtain a certificate and key
Generate a self-signed certificate
Run the following command to generate a 2048-bit RSA private key, which is used to decrypt traffic:
sudo openssl genrsa -out /etc/grafana/grafana.key 2048
Run the following command to generate a certificate, using the private key from the previous step. When prompted, answer the questions, which might include your fully qualified domain name, email address, country code, and others.
sudo openssl req -new -key /etc/grafana/grafana.key -out /etc/grafana/grafana.csr
sudo openssl x509 -req -days 365 -in /etc/grafana/grafana.csr -signkey /etc/grafana/grafana.key -out /etc/grafana/grafana.crt
sudo chown grafana:grafana /etc/grafana/grafana.crt sudo chown grafana:grafana /etc/grafana/grafana.key sudo chmod 400 /etc/grafana/grafana.key /etc/grafana/grafana.crt
Obtain a signed certificate from LetsEncrypt
certbot is an open-source program used to manage LetsEncrypt certificates
To install snapd, run the following commands:
sudo apt-get install snapd sudo snap install core; sudo snap refresh core
sudo apt-get remove certbot sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
These commands:
Uninstall
certbotfrom your system if it has been installed using a package managerInstall
certbotusingsnapd
Generate certificates using certbot
The sudo certbot certonly --standalone command prompts you to answer questions before it generates a certificate. This process temporarily opens a service on port 80 that LetsEncrypt uses to verify communication with your host.
To generate certificates using certbot, complete the following steps:
Ensure that port
80traffic is permitted by applicable firewall rules.Run the following command to generate certificates:
$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): me@mysite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let’s Encrypt project and the non-profit organization that
develops Certbot? We’d like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): subdomain.mysite.com
Requesting a certificate for subdomain.mysite.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/subdomain.mysite.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/subdomain.mysite.com/privkey.pem
This certificate expires on 2023-06-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Set up symlinks to Grafana
Symbolic links, also known as symlinks, enable you to create pointers to existing LetsEncrypt files in the /etc/grafana directory
To set up symlinks to Grafana, run the following commands:
$ sudo ln -s /etc/letsencrypt/live/subdomain.mysite.com/privkey.pem /etc/grafana/grafana.key
$ sudo ln -s /etc/letsencrypt/live/subdomain.mysite.com/fullchain.pem /etc/grafana/grafana.crt
Adjust permissions
Grafana usually runs under the grafana Linux group, and you must ensure that the Grafana server process has permission to read the relevant files. Without read access, the HTTPS server fails to start properly.
To adjust permissions, perform the following steps:
Run the following commands to set the appropriate permissions and groups for the files:
$ sudo chgrp -R grafana /etc/letsencrypt/* $ sudo chmod -R g+rx /etc/letsencrypt/* $ sudo chgrp -R grafana /etc/grafana/grafana.crt /etc/grafana/grafana.key $ sudo chmod 400 /etc/grafana/grafana.crt /etc/grafana/grafana.keyls -l /etc/grafana/grafana.*
The output will look like this:
lrwxrwxrwx 1 root grafana 67 Mar 22 14:15 /etc/grafana/grafana.crt -> /etc/letsencrypt/live/subdomain.mysite.com/fullchain.pem
-rw-r----- 1 root grafana 54554 Mar 22 14:13 /etc/grafana/grafana.ini
lrwxrwxrwx 1 root grafana 65 Mar 22 14:15 /etc/grafana/grafana.key -> /etc/letsencrypt/live/subdomain.mysite.com/privkey.pem
Configure Grafana HTTPS and restart Grafana
In this section, you edit the grafana.ini file so that it includes the certificate you created. If you need help identifying where to find this file, or what each key means, refer to Configuration file location.
To configure Grafana HTTPS and restart Grafana, complete the following steps.
Open the
grafana.inifile and edit the following configuration parameters:[server] http_addr = http_port = 3000 domain = mysite.com root_url = https://subdomain.mysite.com:3000 cert_key = /etc/grafana/grafana.key cert_file = /etc/grafana/grafana.crt enforce_domain = False protocol = httpsReload grafana using:
sudo systemctl daemon-reload
sudo systemctl start grafana-server
sudo systemctl status grafana-server
Thank you for reading the article, dont forget to leave a ❤️ if it worked for you.