Grafana SSL – How to configure HTTPS
This Page Was Tested and Validated on 12th January 2025
What to secure the Grafana Dashboard? Need to know how to configure a self-signed certificate for Grafana SSL? You have come to the right place.
The TurboGeek step-by-step guide for setting up a self-signed SSL certificate in the Grafana community edition is an easy-to-follow procedure that will create a self-signed certificate on your Grafana SSL Instance and have you up and running in no time.
By following these instructions, you will enhance the security of your Grafana server, making it accessible via a secure connection at https://my_grafana_server
Why Secure Your Grafana with HTTPS?
Grafana is a powerful tool for visualizing your data, but without HTTPS, your sensitive information could be at risk. Running Grafana over HTTP means your login credentials, API keys, and the data itself are transmitted in plain text, vulnerable to interception and theft. By configuring SSL and enabling HTTPS, you encrypt your connection, ensuring data confidentiality and integrity, and protecting against man-in-the-middle attacks. This guide provides a step-by-step approach to securing your Grafana installation with a self-signed SSL certificate.
Who is this guide for?
This guide is aimed at users with basic Linux command-line experience who are comfortable editing configuration files. Familiarity with Grafana is helpful but not required.
What is a Grafana SSL Certificate?
By default, SSL is not configured in the free, self-hosted community edition of Grafana.
However, SSL is configured automatically for those who opt for the cloud version. To set up SSL on the self-hosted version, you will require sudo access to the /etc/grafana/grafana.ini file.
Here’s where you should look:
vi /etc/grafana/grafana.iniHTTP options
In the grafana.ini file, you’ll need to modify four key fields. They are:
- root_url =
- protocol =
- cert_key =
- cert_file =
When you are finished. Your Grafana Ini will look something like this:
#FOR EXAMPLE PURPOSES
[server]
http_addr = dashboard.yourdomain.co.uk
http_port = 3000
domain = yourdomain.co.uk
root_url = https://grafana.yourdomain.co.uk
cert_key = /etc/grafana/grafana.key
enforce_domain = False
protocol = https
socket =
enable_gzip = False
cert_file = /etc/grafana/grafana.crt
static_root_path = public
router_logging = FalseStep 1 – Create a Grafana SSL Certificate
Before you start:
- You’ll need
sudoaccess to your server. - This guide assumes Grafana is installed at
/etc/grafana/. Adjust paths if your installation differs.
Follow the steps below for those on Linux-based servers. I am using RedHat Enterprise. You may need refer to its specific documentation if you’re on a different Linux distribution.
This command generates an RSA private key for use with Grafana.
openssl genrsa -out grafana.key 2048The command generates a 2048-bit RSA private key and saves it in a file named grafana.key.
Here is what the output should look like:
Step 2 – Generate a certificate signing request
From the command line, type:
openssl req -new -key grafana.key -out grafana.csrThis command creates a new certificate signing request (CSR) using your existing private key. The CSR contains information about your organization and is cryptographically linked to your key. You have the option to submit this CSR to a Certificate Authority to obtain a digital certificate for secure HTTPS connections. However, in this example, we will keep it simple and do a self-signed certificate.
Example output:
Step 3 – Output the certificate
Generate a self-signed certificate! Now, from the command line, type:
openssl x509 -req -days 365 -in grafana.csr -signkey grafana.key -out grafana.crtThis command creates a self-signed certificate valid for one year, using your existing CSR and private key. This certificate can be used for testing or internal purposes, but may cause browser warnings in production due to not being issued by a trusted authority.
After which, you’ll see this output:
Step 4 – Set certificate key file ownership
Run the following commands:
sudo chown grafana:grafana grafana.crt
sudo chown grafana:grafana grafana.key
sudo chmod 400 grafana.key grafana.crtThese commands change the ownership (chown) of the files grafana.crt and grafana.key to the user grafana and group grafana. The last command (chmod) changes the permissions (mode) of these files so they can only be read by the owner (grafana), ensuring they remain secure.
Step 5 – Transfer the certificate and key file to Grafana’s installation directory
Move files using:
sudo mv grafana.crt grafana.key /etc/grafana/Step 6 – Edit the Grafana.ini file
Open the file with:
sudo vim /etc/grafana/grafana.iniSearch for the #HTTP options and set the properties accordingly:
root_url = https://grafana.yourdomain.co.uk
protocol = https
cert_key = /etc/grafana/grafana.key
cert_file = /etc/grafana/grafana.crtOnce done, save and exit the file. Proceed by restarting the Grafana service:
sudo service grafana-server restart
Step 7 – Access via the server IP
Finally, when you navigate to the server’s IP address using a web browser, you’ll encounter a warning due to the Self Signed Certificate. The prompt will appear as follows:
Note: You will always have to accept this prompt (only once) unless you have purchased a Signed Certificate from a certificate authority vendor such as https://www.digicert.com/
Want to know how to put certs on a Grafana container and how to make a Grafana container HTTPS? Run
docker exec -it containername /bin/bashand follow the same procedure above.
That’s it; thanks for taking the time to read this article. If you have any questions or feedback, please write them in the comment section below.
Troubleshooting Common Grafana SSL Errors
- Grafana fails to start: Double-check the paths to your certificate files in
grafana.iniand ensure thegrafanauser has read access to them. - “Certificate not trusted” error: This is expected with self-signed certificates. For production environments, use a CA-signed certificate.
- Incorrect domain in certificate: If you used a domain name in your CSR, ensure it matches the
root_urlingrafana.ini.
Alternative Methods for Obtaining SSL Certificates
While this guide focuses on self-signed certificates, there are other options:
- Let’s Encrypt: A free, automated, and open certificate authority. See Let’s Encrypt documentation for details.
- Commercial Certificate Authorities: Companies like DigiCert, Sectigo, and GlobalSign offer a variety of SSL certificates with varying levels of validation and features.
Securing Grafana SSL in a Docker Container
If you’re running Grafana in a Docker container, you can still implement SSL. Here’s a basic outline:
- Access your Grafana container:
docker exec -it <container_name> /bin/bash- Follow the same steps outlined in this guide to generate and configure the SSL certificate within the container.
- Ensure that your Docker Compose file or
docker runcommand maps the certificate files and exposes the HTTPS port.
For detailed instructions and best practices, refer to the official Grafana Docker documentation.
What is Grafana?
Grafana and Prometheus will give you a great solution if you need monitoring dashboards.
Check out https://grafana.com and https://prometheus.io to start your Journey.
Benefits of Using HTTPS for Grafana SSL
- Data Confidentiality: Encrypting your connection prevents unauthorized access to sensitive information like login credentials and query data.
- Data Integrity: Ensures that the data transmitted between your browser and the server has not been tampered with.
- Authentication: Verifies the identity of the Grafana server, preventing users from connecting to fake or malicious servers.
- Trust: Displays a padlock icon in the browser, increasing user trust and confidence in your Grafana installation.
Want to create your own TIG Stack?(Telegraf, InfluxDB and Grafana) – Check out this procedure
What to know more about Grafana SSL? Check out our other posts about it:
Learn:
- What’s the difference between the Grafana Enterprise and Grafana Community editions?
- Why should I use Grafana?
- How do I install Grafana on a Raspberry Pi?
- Your Top Grafana Questions Answered (Q&A)
Thanks for taking the time to read this article. if you have any questions or feedback, please write in the comment section below.
Excellent Explanation Thanks Buddy!
Perfect ! Thank you very much !
Thanks for the blog. can you please use instead of self signed certs domain certs.I have tried above steps after updating grafana.ini failed to start grafana service.please guide.
Hi. I don’t know to be honest, I’ll need to work it out. But I imagine it’s the same process but you copy the domain certs instead.
Does anyone else know the answer?
Hi , I Have tried with domain certs but unable to start grafana service. please anyone help.
Upload your logs and I’ll take a look.
Just want to say thank you for your article. So easy to follow and clear explanation
Dear Richard,
Many thanks for your article. It really helps many.
I had exactly did the same like you had mentioned in the article, but when I open the Grafana using https, I am receiving the following error:
This site canβt provide a secure connection
By the way, Grafana using http works like a champ.
Please let me know, where the error might had happened, so that, it helps me and also many.
Thanks for your help in advance.
Regards,
Chaitanya
Try updating your browser. Otherwise, it would be an internal network issue.
Do you get an error code in the browser? Is there an option to skip?
Dear Richard,
Thanks for your reply..
I had tried with other browsers and I get the following error messages:
Chrome ERR_SSL_PROTOCOL_ERROR
Firefox SSL_ERROR_RX_RECORD_TOO_LONG
Edge ERR_SSL_PROTOCOL_ERROR
Unfortunately, there is no option to skip π
Regards,
Chaitanya
you still using the port 3000 not sure why
thank you. I will get this corrected.
Muchas gracias!