mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Docs: Update image rendering (#21650)
This is a small documentation update for the situation that led to #19842 in the first place. It describes a procedure required to provide root certificates to the headless Chrome instance used by the Grafana image renderer plugin.
This commit is contained in:
parent
261191ffd7
commit
50993b5dfd
@ -194,3 +194,24 @@ it's available for the Grafana process, e.g.
|
||||
```bash
|
||||
export GF_RENDERER_PLUGIN_CHROME_BIN="/usr/bin/chromium-browser"
|
||||
```
|
||||
|
||||
### Grafana image renderer plugin and certificate signed by internal certificate authorities
|
||||
|
||||
In many cases Grafana will run on internal servers and use certificates that have not been signed by a CA ([Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority)) that is known to Chrome and therefore cannot be validated. Chrome internally uses NSS ([Network Security Services](https://en.wikipedia.org/wiki/Network_Security_Services)) for cryptogtraphic operations such as the validation of certificates.
|
||||
|
||||
If you are using the Grafana image renderer with a Grafana server that uses a certificate signed by such a custom CA (for example a company-internal CA), rendering images will fail and you will see messages like this in the Grafana log:
|
||||
|
||||
```
|
||||
t=2019-12-04T12:39:22+0000 lvl=error msg="Render request failed" logger=rendering error=map[] url="https://192.168.106.101:3443/d-solo/zxDJxNaZk/graphite-metrics?orgId=1&refresh=1m&from=1575438321300&to=1575459921300&var-Host=master1&panelId=4&width=1000&height=500&tz=Europe%2FBerlin&render=1" timestamp=0001-01-01T00:00:00.000Z
|
||||
t=2019-12-04T12:39:22+0000 lvl=error msg="Rendering failed." logger=context userId=1 orgId=1 uname=admin error="Rendering failed: Error: net::ERR_CERT_AUTHORITY_INVALID at https://192.168.106.101:3443/d-solo/zxDJxNaZk/graphite-metrics?orgId=1&refresh=1m&from=1575438321300&to=1575459921300&var-Host=master1&panelId=4&width=1000&height=500&tz=Europe%2FBerlin&render=1"
|
||||
t=2019-12-04T12:39:22+0000 lvl=error msg="Request Completed" logger=context userId=1 orgId=1 uname=admin method=GET path=/render/d-solo/zxDJxNaZk/graphite-metrics status=500 remote_addr=192.168.106.101 time_ms=310 size=1722 referer="https://grafana.xxx-xxx/d/zxDJxNaZk/graphite-metrics?orgId=1&refresh=1m"
|
||||
```
|
||||
|
||||
(The severity-level `error` in the above messages might be mis-spelled with a single `r`)
|
||||
|
||||
If this happens, then you have to add the certificate to the trust store. If you have the certificate file for the internal root CA in the file `internal-root-ca.crt.pem`, then use these commands to create a user specific NSS trust store for the Grafana user (`grafana` for the purpose of this example) and execute the following steps:
|
||||
|
||||
```[root@server ~]# [ -d /usr/share/grafana/.pki/nssdb ] || mkdir -p /usr/share/grafana/.pki/nssdb
|
||||
[root@merver ~]# certutil -d sql:/usr/share/grafana/.pki/nssdb -A -n internal-root-ca -t C -i /etc/pki/tls/certs/internal-root-ca.crt.pem
|
||||
[root@server ~]# chown -R grafana: /usr/share/grafana/.pki/nssdb
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user