17 Google Chrome TLS certificate trust
Overview
This page provides Zabbix setup steps and configuration examples for using Google Chrome with Zabbix frontend or zabbix-web-service endpoints secured by a self-signed certificate or a private certificate authority.
These instructions assume that the target web server is already configured for HTTPS. For configuring TLS on the Zabbix frontend, see Secure connection to the frontend.
Configuration
Google Chrome on Linux uses a per-user NSS certificate database for trusted certificates. To make Chrome trust a self-signed certificate or a private certificate authority, add the required certificates to the NSS database of the user account that runs Chrome.
1. Install required packages.
For Debian/Ubuntu:
sudo apt install ca-certificates libnss3-tools
For RHEL-based systems:
sudo dnf install ca-certificates nss-tools
Or:
sudo yum install ca-certificates nss-tools
2. Prepare certificate files.
For each certificate needed: create a PEM-based .crt file for the self-signed certificate, or create separate PEM-based .crt files for the root certificate authority certificate and, if required, each intermediate certificate.
3. Create the NSS database directory.
Use the home directory of the user that runs Chrome.
For example:
sudo mkdir -p /var/lib/zabbix/.pki/nssdb
sudo -u zabbix certutil -N -d sql:/var/lib/zabbix/.pki/nssdb
sudo chown -R zabbix:zabbix /var/lib/zabbix/.pki/nssdb
If Chrome on the target system uses a different NSS database location, use that directory instead.
Make sure the certificate files are readable by the user that runs Google Chrome. If necessary, copy them to a location accessible to that user.
4. Import the certificates.
If using a self-signed certificate:
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb \
-A -t "P,," \
-n "Zabbix self-signed certificate" \
-i /path/to/self-signed.crt
If using a private certificate authority, import the root certificate authority certificate into the database:
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb \
-A -t "C,," \
-n "Zabbix root certificate authority" \
-i /path/to/root-ca.crt
If any intermediate certificates are used, import each one separately:
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb \
-A -t ",," \
-n "Zabbix intermediate certificate" \
-i /path/to/intermediate-ca.crt
5. Verify the certificate database.
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb -L
6. Test Chrome.
Google Chrome uses the certificate database of the user account that launches it. If the user account does not have a writable home directory, configure a writable home and XDG directories before running the test.
Example (replace google-chrome with chromium if Chromium is used.):
sudo -u zabbix env \
HOME=/var/lib/zabbix-home \
XDG_CONFIG_HOME=/var/lib/zabbix-home/.config \
XDG_DATA_HOME=/var/lib/zabbix-home/.local/share \
XDG_CACHE_HOME=/var/lib/zabbix-home/.cache \
google-chrome --headless --disable-gpu \
--user-data-dir=/var/lib/zabbix-home/chrome-profile \
--dump-dom https://FQDN_OF_ZABBIX_SERVER
If the configuration is correct, the command returns the HTML of the requested page.
If Chrome does not trust the certificate, the command returns a certificate error page containing messages such as NET::ERR_CERT_AUTHORITY_INVALID.
Troubleshooting
| Error | Possible cause |
|---|---|
NET::ERR_CERT_AUTHORITY_INVALID |
The certificate was imported into the wrong user profile, the root certificate authority certificate is missing, or an intermediate certificate is missing. |
NET::ERR_CERT_COMMON_NAME_INVALID |
The certificate does not match the hostname used in the browser URL. |
NET::ERR_CERT_DATE_INVALID |
The certificate is expired, not yet valid, or the system clock is incorrect. |
| Chrome still shows a certificate warning after import | Chrome is using a different NSS database for the current user, or the certificate trust flags are incorrect. |