Add SSL

Video Lecture

Add SSL Add SSL Add SSL

Description

I add SSL to the Grafana web server to ensure all traffic is encrypted between the server and web browser.

I use LetsEncrypt by following the Certbot instructions.

For Web Server software, I choose none of the above

For Operating system, I choose Ubuntu 18.04 LTS

I then SSH onto my new Grafana server,

I enter these commands

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

then

sudo apt-get install certbot

I temporarily stop the Grafana server

sudo service grafana-server stop

then run

sudo certbot certonly --standalone

I follow the prompts, and enter my domain name I want to secure,

According to several forums on adding SSL to Grafana, the Grafana service may have problems finding the SSL certificates that were just installed. So copy the new *.pem files from the /etc/letsencrypt/your-domain-name folder to the /etc/grafana folder. Be careful to replace your-domain-name with your domain name in the command below.

cp /etc/letsencrypt/live/your-domain-name/*.pem /etc/grafana/

Now edit the grafana.ini file

cd /etc/grafana/
sudo nano grafana.ini

Uncomment and Change the line

# Protocol (http, https, h2, socket)
;protocol = http

to

# Protocol (http, https, h2, socket)
protocol = https

and uncomment and change

# https certs & key file
;cert_file =
;cert_key =

to

# https certs & key file
cert_file = /etc/grafana/fullchain.pem
cert_key = /etc/grafana/privkey.pem

I then start the Grafana server,

sudo service grafana-server start

And now I visit my Grafana server URL replacing http with https.

Troubleshooting

If your server fails to start, you can check the logs using

tail /var/log/grafana/grafana.log

If the error suggests that permission is denied on reading the privkey.pem, then you can try changing the owner of the new certificates,

chown grafana:grafana /etc/grafana/fullchain.pem
chown grafana:grafana /etc/grafana/privkey.pem

and then restart

sudo service grafana-server start

and check its status is active.

sudo service grafana-server status