SSL/TSL cert permission denied when files not in /etc/grafana

adam5840 · December 13, 2021, 8:43am

Hi,

I am using LetsEncrypt’s certbot to auto-renew SSL/TSL certs every 3 months on an Ubuntu machine.

The cert works fine if I place the *.pem files into /etc/grafana and change the grafana.ini file to point to that location.

However, if the *.pem files are left in /etc/letsencrypt/live/<my-domain> then Grafana fails to start with the following appearing in grafana.log:

t=2021-12-13T09:28:35+0100 lvl=eror msg="Stopped HTTPServer" logger=server reason="open /etc/letsencrypt/live/<my-domain>/fullchain.pem: permission denied"
t=2021-12-13T09:28:35+0100 lvl=eror msg="Server shutdown" logger=server error="HTTPServer run error: open /etc/letsencrypt/live/<my-domain>/fullchain.pem: permission denied"

I’ve tried everything I can think of, and have even set the permissions for both the /etc/letsencrypt/live/<my-domain> folder and pem files to drwxrwxrwx for all users (chmod a+rwx)

It’s important to me that I can specify that location for Grafana to read from so that I don’t need to copy the files over every time the SSL / TSL certs auto-renew every 3 months.

Why can Grafana not access those pem files in that location?

mattabrams · January 12, 2022, 8:30pm

@adam5840

are you serving Grafana behind a reverse proxy like nginx?

adam5840 · February 15, 2022, 10:49pm

Hi matt, yes I am using a reverse proxy…

mattabrams · February 18, 2022, 10:12pm

Are you running 8.3.5+? If so, you might need to add a new header to your config. This was noted in the changelog but it was buried:

github.com/grafana/grafana

Unable to Create/Save Dashboard after v8.3.5 Update

opened 04:36AM - 09 Feb 22 UTC

closed 06:25PM - 10 Feb 22 UTC

jdmaloney

type/docs

**What happened**: Unable to create a new dashboard or save changes to existing… dashboards following update to Grafana v8.3.5 **What you expected to happen**: Ability to create/modify dashboards in Grafana **How to reproduce it (as minimally and precisely as possible)**: - Log into Grafana instance and click on "+" button and create new dashboard - Go to save the dashboard into a folder - Attempt to save fails, "Origin Not Allowed" error shows up in upper right corner **Anything else we need to know?**: Attached is what I'm seeing in the console upon trying to save; looks like it is getting a 403 Forbidden for FQDN/api/dashboards/db and this is preventing dashboard from saving. Clicking the "Save" button prompts one of these errors in the console. I'm also seeing a 403 Forbidden on FQDN/api/frontend-metrics and a screenshot for that is attached too. I'm not seeing anything of particular use in the /var/log/grafana/grafana.log at INFO level, let me know if I should try debug level. <img width="1676" alt="Screen Shot 2022-02-08 at 10 26 05 PM" src="https://user-images.githubusercontent.com/16138910/153122711-779a4b11-48f3-4071-a5da-b7dd218859de.png"> <img width="1675" alt="Screen Shot 2022-02-08 at 10 31 46 PM" src="https://user-images.githubusercontent.com/16138910/153122716-9a93814d-2712-43ee-83cf-6883646cfb9c.png"> **Environment**: - Grafana version: 8.3.5 - Data source type & version: InfluxDB - OS Grafana is installed on: RHEL 8 - User OS & Browser: Safari, Chrome - Grafana plugins: None - Others: None

Topic		Replies	Views
Trouble with fullchain.pem access denied Configuration	4	6888	March 3, 2020
/etc/ssl/private/grafana.key: permission denied Authentication	1	1291	November 21, 2022
Grafana Docker Plesk Let's Encrypt Cert Grafana docker	4	1157	February 20, 2022
How to renew the SSL Certificate in Grafana 5.3 V Configuration	5	2761	July 20, 2020
Setting up SSL but Grafana thinks cert_file is empty? Configuration	1	1961	June 6, 2020

SSL/TSL cert permission denied when files not in /etc/grafana

Related topics