Configuring HTTPS on a self-hosted Grafana server encrypts browser sessions, dashboard queries, and API requests on the native Grafana listener. Use this when Grafana serves traffic directly on its own port instead of relying on a reverse proxy or load balancer to terminate TLS first.

Packaged Linux installs read the active server settings from /etc/grafana/grafana.ini. In the [server] section, protocol = https tells Grafana to start its embedded web server with TLS, while cert_file and cert_key point to the certificate chain and private key that the grafana service account can read.

The certificate must match the hostname users enter, and root_url should use the same https:// scheme, hostname, and port. Keep http_addr blank unless Grafana must bind only one local address, because setting it to a public DNS name can stop the service from binding on hosts behind NAT or cloud networking.

Related: How to install Grafana on Ubuntu
Related: How to configure generic OAuth login in Grafana

Steps to configure Grafana HTTPS:

  1. Open a terminal with sudo privileges.
  2. Install the certificate chain where Grafana can read it. 
    $ sudo install -o root -g grafana -m 0640 grafana.example.com.fullchain.pem /etc/grafana/grafana.crt

    Use the full certificate chain file from the certificate authority when one is provided. A leaf-only certificate can start Grafana but still fail browser or API client trust checks.

  3. Install the private key with the same group-readable permissions. 
    $ sudo install -o root -g grafana -m 0640 grafana.example.com.privkey.pem /etc/grafana/grafana.key

    The private key controls the HTTPS identity for the Grafana hostname. Do not make it world-readable or store it in a shared project directory.

  4. Confirm the grafana service account can read the certificate. 
    $ sudo -u grafana openssl x509 -in /etc/grafana/grafana.crt -noout -subject -dates
subject=CN=grafana.example.com
notBefore=Jun 19 23:06:01 2026 GMT
notAfter=Jun 19 23:06:01 2027 GMT
  5. Confirm the grafana service account can parse the private key. 
    $ sudo -u grafana openssl pkey -in /etc/grafana/grafana.key -noout -check
Key is valid
  6. Open the packaged Grafana configuration file. 
    $ sudoedit /etc/grafana/grafana.ini
  7. Set the HTTPS listener options in the [server] section. 
    [server]
protocol = https
http_addr =
http_port = 3000
domain = grafana.example.com
root_url = https://grafana.example.com:3000/
cert_file = /etc/grafana/grafana.crt
cert_key = /etc/grafana/grafana.key

    Leave http_port = 3000 unless the service is prepared to bind a low port such as 443. Using port 443 directly can require extra Linux capabilities or a reverse proxy in front of Grafana.

  8. Restart the grafana-server service to load the TLS settings. 
    $ sudo systemctl restart grafana-server

    Related: How to manage the Grafana service with systemctl

  9. Confirm the service returned to the active state. 
    $ systemctl is-active grafana-server
active

    Related: How to manage the Grafana service with systemctl

  10. Verify the Grafana health endpoint over HTTPS. 
    $ curl --silent https://grafana.example.com:3000/api/health
{
  "database": "ok",
  "version": "13.0.2",
  "commit": "3fcdbc5a"
}

    If the certificate is self-signed or issued by a private CA, run the check from a client that already trusts that CA or add --cacert with the trusted CA file. Avoid --insecure for handoff checks because it skips certificate trust validation.

  11. Verify the TLS certificate served by the Grafana listener. 
    $ openssl s_client -brief -connect grafana.example.com:3000 -servername grafana.example.com
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Peer certificate: CN=grafana.example.com
Verification: OK
DONE

    If the peer certificate shows a different hostname, check root_url, DNS, the certificate file, and any proxy or load balancer in front of Grafana.
    Tool: TLS Handshake Trace