From a3e406aa131964a057f0a16012f411dede488b79 Mon Sep 17 00:00:00 2001 From: Ward Bekker Date: Mon, 18 May 2020 12:59:07 +0200 Subject: [PATCH 1/2] Added steps to add certificate signed by internal certificate authorities --- docs/remote_rendering_using_docker.md | 36 ++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/docs/remote_rendering_using_docker.md b/docs/remote_rendering_using_docker.md index 2cb694dd..ce49208b 100644 --- a/docs/remote_rendering_using_docker.md +++ b/docs/remote_rendering_using_docker.md @@ -118,6 +118,40 @@ docker run -d --name=renderer --network=host -v /some/path/config.json:/usr/src/ You can see a docker-compose example using a custom configuration file [here/](https://github.com/grafana/grafana-image-renderer/tree/master/devenv/docker/custom-config). +## Certificate signed by internal certificate authorities + +In many cases Grafana, runs on internal servers and uses certificates that have not been signed by a CA ([Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority)) known to Chrome, and therefore cannot be validated. Chrome internally uses NSS ([Network Security Services](https://en.wikipedia.org/wiki/Network_Security_Services)) for cryptogtraphic operations such as the validation of certificates. + +If you are using the Grafana Image Renderer with a Grafana server that uses a certificate signed by such a custom CA (for example a company-internal CA), rendering images will fail and you will see messages like this in the Grafana log: + +``` +t=2019-12-04T12:39:22+0000 lvl=error msg="Render request failed" logger=rendering error=map[] url="https://192.168.106.101:3443/d-solo/zxDJxNaZk/graphite-metrics?orgId=1&refresh=1m&from=1575438321300&to=1575459921300&var-Host=master1&panelId=4&width=1000&height=500&tz=Europe%2FBerlin&render=1" timestamp=0001-01-01T00:00:00.000Z +t=2019-12-04T12:39:22+0000 lvl=error msg="Rendering failed." logger=context userId=1 orgId=1 uname=admin error="Rendering failed: Error: net::ERR_CERT_AUTHORITY_INVALID at https://192.168.106.101:3443/d-solo/zxDJxNaZk/graphite-metrics?orgId=1&refresh=1m&from=1575438321300&to=1575459921300&var-Host=master1&panelId=4&width=1000&height=500&tz=Europe%2FBerlin&render=1" +t=2019-12-04T12:39:22+0000 lvl=error msg="Request Completed" logger=context userId=1 orgId=1 uname=admin method=GET path=/render/d-solo/zxDJxNaZk/graphite-metrics status=500 remote_addr=192.168.106.101 time_ms=310 size=1722 referer="https://grafana.xxx-xxx/d/zxDJxNaZk/graphite-metrics?orgId=1&refresh=1m" +``` + +(The severity-level `error` in the above messages might be misspelled with a single `r`) + +If this happens, then you have to add the certificate to the trust store. If you have the certificate file for the internal root CA in the file `internal-root-ca.crt.pem`, then use this `Dockerfile` to create new Docker image that has the specific NSS trust store. + +``` +FROM grafana/grafana-image-renderer:latest +RUN apk add --no-cache nss-tools +# not required, useful for debugging +RUN apk add --no-cache curl +ADD myCA-root-certificate.pem /usr/local/share/ca-certificates/rootCA.crt +RUN chmod 644 /usr/local/share/ca-certificates/rootCA.crt +RUN /usr/sbin/update-ca-certificates +# register root cert with Network Security Services, which is used by Chromium +RUN mkdir -p $HOME/.pki/nssdb +RUN cd $HOME/.pki/nssdb +RUN certutil -N -d sql:. +RUN certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "CAcert.org" -i /usr/local/share/ca-certificates/rootCA.crt +``` + +Build the Dockerfile with e.g `docker build --no-cache -t image_renderer .` and run it with `docker run -p 8081:8081 image_renderer` + + ## Docker Compose example The following docker-compose example can also be found in [docker/](https://github.com/grafana/grafana-image-renderer/tree/master/devenv/docker/simple). @@ -287,4 +321,4 @@ up 1 # HELP grafana_image_renderer_browser_info A metric with a constant '1 value labeled by version of the browser in use # TYPE grafana_image_renderer_browser_info gauge grafana_image_renderer_browser_info{version="HeadlessChrome/79.0.3945.0"} 1 -``` \ No newline at end of file +``` From edb5183e6c266b3e796107e0a05cb17d624b4ea2 Mon Sep 17 00:00:00 2001 From: Ward Bekker Date: Mon, 18 May 2020 13:01:24 +0200 Subject: [PATCH 2/2] Update remote_rendering_using_docker.md --- docs/remote_rendering_using_docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote_rendering_using_docker.md b/docs/remote_rendering_using_docker.md index ce49208b..41812f31 100644 --- a/docs/remote_rendering_using_docker.md +++ b/docs/remote_rendering_using_docker.md @@ -139,7 +139,7 @@ FROM grafana/grafana-image-renderer:latest RUN apk add --no-cache nss-tools # not required, useful for debugging RUN apk add --no-cache curl -ADD myCA-root-certificate.pem /usr/local/share/ca-certificates/rootCA.crt +ADD internal-root-ca.crt.pem /usr/local/share/ca-certificates/rootCA.crt RUN chmod 644 /usr/local/share/ca-certificates/rootCA.crt RUN /usr/sbin/update-ca-certificates # register root cert with Network Security Services, which is used by Chromium