How to configure HTTPS for Grafana
Configuring HTTPS on a self-hosted Grafana server encrypts browser sessions, dashboard queries, and API requests on the native Grafana listener. Use this when Grafana serves traffic directly on its own port instead of relying on a reverse proxy or load balancer to terminate TLS first.
Packaged Linux installs read the active server settings from /etc/grafana/grafana.ini. In the [server] section, protocol = https tells Grafana to start its embedded web server with TLS, while cert_file and cert_key point to the certificate chain and private key that the grafana service account can read.
The certificate must match the hostname users enter, and root_url should use the same https:// scheme, hostname, and port. Keep http_addr blank unless Grafana must bind only one local address, because setting it to a public DNS name can stop the service from binding on hosts behind NAT or cloud networking.
Steps to configure Grafana HTTPS:
- Open a terminal with sudo privileges.
- Install the certificate chain where Grafana can read it.
$ sudo install -o root -g grafana -m 0640 grafana.example.com.fullchain.pem /etc/grafana/grafana.crt
Use the full certificate chain file from the certificate authority when one is provided. A leaf-only certificate can start Grafana but still fail browser or API client trust checks.
- Install the private key with the same group-readable permissions.
$ sudo install -o root -g grafana -m 0640 grafana.example.com.privkey.pem /etc/grafana/grafana.key
The private key controls the HTTPS identity for the Grafana hostname. Do not make it world-readable or store it in a shared project directory.
- Confirm the grafana service account can read the certificate.
$ sudo -u grafana openssl x509 -in /etc/grafana/grafana.crt -noout -subject -dates subject=CN=grafana.example.com notBefore=Jun 19 23:06:01 2026 GMT notAfter=Jun 19 23:06:01 2027 GMT
- Confirm the grafana service account can parse the private key.
$ sudo -u grafana openssl pkey -in /etc/grafana/grafana.key -noout -check Key is valid
- Open the packaged Grafana configuration file.
$ sudoedit /etc/grafana/grafana.ini
- Set the HTTPS listener options in the [server] section.
[server] protocol = https http_addr = http_port = 3000 domain = grafana.example.com root_url = https://grafana.example.com:3000/ cert_file = /etc/grafana/grafana.crt cert_key = /etc/grafana/grafana.key
Leave http_port = 3000 unless the service is prepared to bind a low port such as 443. Using port 443 directly can require extra Linux capabilities or a reverse proxy in front of Grafana.
- Restart the grafana-server service to load the TLS settings.
$ sudo systemctl restart grafana-server
- Confirm the service returned to the active state.
$ systemctl is-active grafana-server active
- Verify the Grafana health endpoint over HTTPS.
$ curl --silent https://grafana.example.com:3000/api/health { "database": "ok", "version": "13.0.2", "commit": "3fcdbc5a" }If the certificate is self-signed or issued by a private CA, run the check from a client that already trusts that CA or add --cacert with the trusted CA file. Avoid --insecure for handoff checks because it skips certificate trust validation.
- Verify the TLS certificate served by the Grafana listener.
$ openssl s_client -brief -connect grafana.example.com:3000 -servername grafana.example.com CONNECTION ESTABLISHED Protocol version: TLSv1.3 Ciphersuite: TLS_AES_128_GCM_SHA256 Peer certificate: CN=grafana.example.com Verification: OK DONE
If the peer certificate shows a different hostname, check root_url, DNS, the certificate file, and any proxy or load balancer in front of Grafana.
Tool: TLS Handshake Trace