SSL for Grafana error: tls: first record does not look like a TLS handshake

Im trying to secure Grafana using SSL and have used a self signed certificate using this link:
However i am getting site cannot be reached error when going to https://<>.

These are the things ive added to the /etc/grafana/grafana.ini
protocol = https
cert_file = /usr/sbin/server.crt
cert_key = /usr/sbin/server.key

when doing sysemctl status grafana-server i get the message
TLS handshake error from tls: first record does not look like a TLS handshake

The config looks correct, all you should need are those 3 settings.

Have you verified your cert and checked your key? You can also check that the md5’s of the cert and key match.

openssl req -text -noout -verify -in server.csr
openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text -noout
openssl verify /etc/ssl/certs/ssl-cert-snakeoil.pem
openssl rsa -in /your/path/your.key -check 

Check that the MD5’s match:

openssl x509 -noout -modulus -in selfsignedcert.pem| openssl md5
openssl rsa -noout -modulus -in selfsignedkey.key| openssl md5

You can also quickly create a self-signed cert to test using this (shorter version than in the article you linked to that doesn’t create a csr):

openssl req -x509 -newkey rsa:4096 -keyout key.key -out cert.pem -days 365

Then remove the password:

openssl rsa -in selfsignedkeywithpass.key -out selfsignedkey.key

no luck, verified the certs are correct but still getting the same error

Did you try creating a self signed cert without the CSR?

yes, i used the commands that you posted. i have noticed that the port number on keeps changing

That sounds very strange. Why is the port number changing? What do you have configured in your ini file? The default is 3000.

I tested a self-signed cert locally while answering this topic and it worked for me. The error message you are getting is the same as when you try to visit http instead of https. So if the port is wrong that might explain it.

Was this issue resolved?
I am getting a similar error with changing port numbers.

@daniellee Even I am getting the same error when I try to use https with a self-singed cert created by openssl. Please help!


Can you give some more details? What does your config file look like? Have you verified your cert (like described above)?

I have generated a self-signed certificate using opeenssl just to check how https works with grafana. Answer for your question is No, I am not using a verified certificate.

and my config is as follows ;


protocol = https
cert_file = $GRAFANA_HOME/server.crt
cert_key = $GRAFANA_HOME/server.key

When using http all the connections are working perfectly.

The error looks like this, my assumption is the reason to this is a problem with cert file since it is a self-signed one.

As i have understand this IP is from sqlite server. and it is using http to connect. So is tries to reconnect by changing the pot.


PS : I am using my own auth server for authentications.

  • Did you try using an absolute path instead of $GRAFANA_HOME?
  • By verifying, I mean verifying that the files are valid see my previous answers on this thread. As you didn’t follow the steps I outlined above (you would have a PEM file and not a crt file if you had), I’m not sure if you created them correctly.
  • What is Is that your auth server?

I followed this brazilian tutorial and I’m having the same problem as decribed on this topic. After running grafana, it keeps spamming “TLS handshake error from tls: first record does not look like a TLS handshake” on console, with different ports.

The app runs correctly on browser, even though that it gives the warning of insecure connection and “NET::ERR_CERT_AUTHORITY_INVALID”.
The problem might be that the certificate is self-signed and not trusted right?

I did followed your above mentioned steps correctly. By doing a simple i found that this error occurs when your client tries to connect to http while your server is https. So i have to change that into support https.

Hi @daniellee, do you have any update for this issue? We have the similar issue also.