Dynamic domain names like those from Amazon EC2 or DynDNS providers will not function. Also, these instructions require you to have a domain name that you are in control of. For other distributions and operating systems, please refer to the certbot instructions. Note: The instructions provided in this section are for a Debian-based Linux system. The examples in this section use LetsEncrypt because it is free. The principles for generating the certificates might vary slightly in accordance with the provider but will generally remain the same. For signed certificates, there are multiple companies and certificate authorities (CAs) available. LetsEncrypt is a nonprofit certificate authority that provides certificates without any charge. Obtain a signed certificate from LetsEncrypt The following image shows an insecure HTTP connection. Browsers will show trust warnings however, the connection will remain encrypted. Note: When using these files, browsers might provide warnings for the resulting website because a third-party source does not trust the certificate. Sudo chmod 400 grafana.key /etc/grafana/grafana.crt Sudo chown grafana:grafana /etc/grafana/grafana.key Run the following commands to set the appropriate permissions for the files: sudo chown grafana:grafana /etc/grafana/grafana.crt Run the following command to self-sign the certificate with the private key, for a period of validity of 365 days: sudo openssl x509 -req -days 365 -in grafana.csr -signkey /etc/grafana/grafana.key -out /etc/grafana/grafana.crt server FQDN or YOUR name) :Įmail Address enter the following 'extra' attributes Organizational Unit Name (eg, section) :Ĭommon Name (e.g. State or Province Name (full name) :Virginia If you enter '.', the field will be left blank. There are quite a few fields but you can leave some blankįor some fields there will be a default value, What you are about to enter is what is called a Distinguished Name or a DN. You are about to be asked to enter information that will be incorporated The following example is similar to the prompts you will see. When prompted, answer the questions, which might include your fully-qualified domain name, email address, country code, and others. $ sudo openssl req -new -key /etc/grafana/grafana.key -out /etc/grafana/grafana.csr Run the following command to generate a certificate, using the private key from the previous step. Run the following command to generate a 2048-bit RSA private key, which is used to decrypt traffic: $ sudo openssl genrsa -out /etc/grafana/grafana.key 2048 This section shows you how to use openssl tooling to generate all necessary files from the command line. To learn more about the difference between these options, refer to Difference between self-signed CA and self-signed certificate. Alternatively, the Certificate Authority (CA) signed option requires more steps to complete, but it enables full trust with the browser. The faster and easier self-signed option might show browser warnings to the user that they will have to accept each time they visit the site. You can use one of two methods to obtain a certificate and a key. For the CA-signed option, you need a domain name that you possess and that is associated with the machine you are using.You must have shell access to the system and sudo access to perform actions as root or administrator.The following image shows a browser lock icon which confirms the connection is safe. In order to ensure secure traffic over the internet, Grafana must have a key for encryption and a Secure Socket Layer (SSL) Certificate to verify the identity of the site. When accessing the Grafana UI through the web, it is important to set up HTTPS to ensure the communication between Grafana and the end user is encrypted, including login credentials and retrieved metric data. Enterprise Open source Set up Grafana HTTPS for secure web traffic
0 Comments
Leave a Reply. |