Grafana not providing certificate but a ERR_SSL_PROTOCOL_ERROR

Hello everyone,

I have set up Grafana on Docker on a Windows Machine in a Windows Container and have now encountered a problem with setting up a ssl encryption.
I have created a Windows container where I download the windows binary, set the appropriate environment Variables, copy the certificate files into the container and start it.
When I try to access grafana using https over the url https://grafana.domain.ch:3000 the certificate is not even loaded and i get the error ERR_SSL_PROTOCOL_ERROR

  • What Grafana version are you using? grafana-8.5.1
  • What OS are you running grafana on? Windows Docker Container on Windows Server

Below you can find my configuration. I have replaced our domain by “domain”, otherwise this is the same configuration.

ENV GF_EXPLORE_ENABLED="false" \
	# Enable the Query history
	GF_QUERY_HISTORY_ENABLED="true" \
	# disable user signup / registration
	GF_USERS_ALLOW_SIGN_UP="false" \
	# Allow non admin users to create organizations
	GF_USERS_ALLOW_ORG_CREATE="FALSE" \
	# Default UI theme ("dark" or "light")
	GF_USERS_DEFAULT_THEME="light" \
	# Snapshot sharing option
	GF_SNAPSHOTS_EXTERNAL_ENABLED="false" \
	# Server reporting, sends usage counters to stats.grafana.org every 24 hours. No ip addresses are being tracked, only simple counters to track running instances, dashboard and error counts.
	GF_ANALYTICS_REPORTING_ENABLED="false" \ 
	# Either "mysql", "postgres" or "sqlite3", it's your choice
	GF_DATABASE_TYPE="mysql" \
	GF_DATABASE_NAME="grafana" \
	GF_DATABASE_USER="grafana_user" \
	# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
	GF_DATABASE_PASSWORD="" \
	# disable gravatar profile images
	GF_SECURITY_DISABLE_GRAVATAR="true" \
	# set to true if you host Grafana behind HTTPS. default is false.
	GF_SECURITY_COOKIE_SECURE="true" \
	# Protocol (http, https, h2, socket)		
	GF_SERVER_PROTOCOL="HTTPS" \			
#	GF_SERVER_HTTP_ADDR="" \			# The ip address to bind to, empty will bind to all interfaces
# The http port  to use
	GF_SERVER_HTTP_PORT="3000" \			
	# The public facing domain name used to access grafana from a browser
	GF_SERVER_DOMAIN="grafana.domain.ch" \			
#	GF_SERVER_ENFORCE_DOMAIN="" \			# Redirect to correct domain if host header does not match domain
	# The full public facing url you use in browser, used for redirects and emails
	GF_SERVER_ROOT_URL="https://grafana.domain.ch:3000" \
# https certs & key file
	GF_SERVER_CERT_FILE="C:\grafana\bin\ssl\fullchain.pem" \			
	GF_SERVER_CERT_KEY="C:\grafana\bin\ssl\cert.key"

#These are 
COPY security/fullchain.cer /grafana/bin/ssl/fullchain.pem
COPY security/cert.key /grafana/bin/ssl/cert.key

EXPOSE 3000

WORKDIR C:\\grafana\\bin
CMD ["grafana-server.exe"] 

The output of the command openssl x509 -in fullchain.pem -text -noout is
Common Name: grafana.domain.ch
Subject Alternative Names: grafana.domain.ch
Valid From: April 28, 2022
Valid To: July 27, 2022
Issuer: (STAGING) Artificial Apricot R3, (STAGING) Let’s Encrypt
Serial Number: fac3790c71616ba527ad11702ef9a405abf5

The log does not provide me with to much infos either:

logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_PROTOCOL=HTTPS"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_HTTP_PORT=3000"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_DOMAIN=grafana.domain.ch"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_ROOT_URL=https://grafana.domain.ch:3000"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_CERT_FILE=C:\\grafana\\bin\\ssl\\fullchain.pem"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SERVER_CERT_KEY=C:\\grafana\\bin\\ssl\\cert.key"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_DATABASE_TYPE=mysql"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_DATABASE_HOST=172.16.85.227"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_DATABASE_NAME=grafana"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_DATABASE_USER=grafana_user"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_DATABASE_PASSWORD=*********"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_ANALYTICS_REPORTING_ENABLED=false"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SECURITY_DISABLE_GRAVATAR=true"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SECURITY_COOKIE_SECURE=true"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_SNAPSHOTS_EXTERNAL_ENABLED=false"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_USERS_ALLOW_SIGN_UP=false"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_USERS_ALLOW_ORG_CREATE=FALSE"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_USERS_DEFAULT_THEME=light"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_EXPLORE_ENABLED=false"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Config overridden from Environment variable" var="GF_QUERY_HISTORY_ENABLED=true"
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Path Home" path=C:\grafana
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Path Data" path=C:\grafana\data
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Path Logs" path=C:\grafana\data\log
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Path Plugins" path=C:\grafana\data\plugins
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="Path Provisioning" path=C:\grafana\conf\provisioning
logger=settings t=2022-04-28T19:06:20.13+0200 lvl=info msg="App mode production"
logger=sqlstore t=2022-04-28T19:06:20.13+0200 lvl=info msg="Connecting to DB" dbtype=mysql
logger=migrator t=2022-04-28T19:06:20.18+0200 lvl=info msg="Starting DB migrations"
logger=migrator t=2022-04-28T19:06:20.19+0200 lvl=info msg="migrations completed" performed=0 skipped=461 duration=1.6381ms
logger=licensing t=2022-04-28T19:06:20.19+0200 lvl=info msg="Validated license token" appURL=https://grafana.domain.ch:3000/ source=disk status=NotFound
logger=grafanaStorageLogger t=2022-04-28T19:06:20.19+0200 lvl=warn msg="error loading storage" prefix=public-static err="open blob.Bucket: parse \"file://C:\\\\grafana\\\\public\": invalid port \":\\\\grafana\\\\public\" after host"
logger=plugin.manager t=2022-04-28T19:06:20.39+0200 lvl=info msg="Plugin registered" pluginId=input
logger=plugin.finder t=2022-04-28T19:06:20.39+0200 lvl=warn msg="Skipping finding plugins as directory does not exist" path=C:\grafana\data\plugins
logger=query_data t=2022-04-28T19:06:20.41+0200 lvl=info msg="Query Service initialization"
logger=live.push_http t=2022-04-28T19:06:20.42+0200 lvl=info msg="Live Push Gateway initialization"
logger=grafanaStorageLogger t=2022-04-28T19:06:20.51+0200 lvl=info msg="storage starting"
logger=report t=2022-04-28T19:06:20.51+0200 lvl=warn msg="Scheduling and sending of reports disabled, SMTP is not configured and enabled. Configure SMTP to enable."
logger=http.server t=2022-04-28T19:06:20.52+0200 lvl=info msg="HTTP Server Listen" address=[::]:3000 protocol=http subUrl= socket=

I am quite genuinly quite confused as to why the certificates are not even loaded an

welcome to the :grafana: forum, @jkirsch

were you able to make your setup work with an earlier version, or is this the first time you are setting up grafana?

This is the first time setting up grafana.
SO far the setup has been going well, but I started to struggle deploying the SSL Certificate