После обновления CentOS c 7.6.1810 до 7.7.1908 появилась ошибка при включенном шифровании PSK в Zabbix Agent, обновил версию агента с 4.2 до 4.4 ошибка осталась, перевел Zabbix agent на Docker, ошибка так же остается, с шифрованием не работает.
В логах Zabbix Agent пишет следующее:
[root@XXX--217 zabbix]# docker logs zabbix-agent
** Deploying Zabbix agent
** Preparing the system
** Preparing Zabbix agent
** Preparing Zabbix agent configuration file
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "PidFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogType": 'console'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogFileSize": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "DebugLevel": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "SourceIP": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "EnableRemoteCommands": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogRemoteCommands": ''... removed
** Using 'XXX-253' servers for passive checks
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Server": 'XXX-253'... updated
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "ListenPort": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "ListenIP": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "StartAgents": ''... removed
** Using 'XXX-253:10051' servers for active checks
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "ServerActive": 'XXX-253:10051'... updated
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Hostname": 'XXX--217'... updated
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "HostnameItem": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "HostMetadata": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "HostMetadataItem": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "RefreshActiveChecks": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "BufferSend": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "BufferSize": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "MaxLinesPerSecond": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Timeout": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Include": '/etc/zabbix/zabbix_agentd.d/'... added first occurrence
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "UnsafeUserParameters": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LoadModulePath": '/var/lib/zabbix/modules/'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSConnect": 'psk'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSAccept": 'psk'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSCAFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSCRLFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSServerCertIssuer": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSServerCertSubject": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSCertFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSKeyFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSPSKIdentity": 'XXX--217-agent'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSPSKFile": 'zabbix_agent.psk'... added
** Cleaning the system
################################################## ######
** Starting Zabbix agent
Starting Zabbix Agent [XXX--217]. Zabbix 4.4.0 (revision cfac660).
Press Ctrl+C to exit.
6:20191030:073306.533 Starting Zabbix Agent [XXX--217]. Zabbix 4.4.0 (revision cfac660).
6:20191030:073306.533 **** Enabled features ****
6:20191030:073306.533 IPv6 support: YES
6:20191030:073306.533 TLS support: YES
6:20191030:073306.533 **************************
6:20191030:073306.533 using configuration file: /etc/zabbix/zabbix_agentd.conf
6:20191030:073306.533 agent #0 started [main process]
69:20191030:073306.534 agent #1 started [collector]
70:20191030:073306.534 agent #2 started[listener #1]
71:20191030:073306.534 agent #3 started[listener #2]
73:20191030:073306.534 agent #5 started [active checks #1]
72:20191030:073306.535 agent #4 started[listener #3]
73:20191030:073306.865 active check configuration update from [XXX-253:10051] started to fail (TCP successful, cannot establish TLS to [[XXX-253]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/record/rec_layer_s3.c line 1544: error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac: SSL alert number 20: TLS read fatal alert "bad record mac")
70:20191030:073310.379 failed to accept an incoming connection: from 192.168.10.233: unencrypted connections are not allowed
73:20191030:073607.924 active check configuration update from [XXX-253:10051] is working again
71:20191030:073652.785 failed to accept an incoming connection: from 192.168.10.233: TLS handshake set result code to 1: file ssl/record/ssl3_record.c line 677: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac: TLS write fatal alert "bad record mac"
При этом в web-консоли Zabbix, все индикаторы "зеленые"
На этом же сервере установлен Zabbix прокси 4.2 c шифрованием PSK, ошибок шифрования в нем нет.
В логах Zabbix Agent пишет следующее:
[root@XXX--217 zabbix]# docker logs zabbix-agent
** Deploying Zabbix agent
** Preparing the system
** Preparing Zabbix agent
** Preparing Zabbix agent configuration file
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "PidFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogType": 'console'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogFileSize": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "DebugLevel": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "SourceIP": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "EnableRemoteCommands": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LogRemoteCommands": ''... removed
** Using 'XXX-253' servers for passive checks
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Server": 'XXX-253'... updated
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "ListenPort": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "ListenIP": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "StartAgents": ''... removed
** Using 'XXX-253:10051' servers for active checks
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "ServerActive": 'XXX-253:10051'... updated
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Hostname": 'XXX--217'... updated
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "HostnameItem": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "HostMetadata": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "HostMetadataItem": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "RefreshActiveChecks": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "BufferSend": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "BufferSize": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "MaxLinesPerSecond": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Timeout": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "Include": '/etc/zabbix/zabbix_agentd.d/'... added first occurrence
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "UnsafeUserParameters": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "LoadModulePath": '/var/lib/zabbix/modules/'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSConnect": 'psk'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSAccept": 'psk'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSCAFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSCRLFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSServerCertIssuer": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSServerCertSubject": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSCertFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSKeyFile": ''... removed
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSPSKIdentity": 'XXX--217-agent'... added
** Updating '/etc/zabbix/zabbix_agentd.conf' parameter "TLSPSKFile": 'zabbix_agent.psk'... added
** Cleaning the system
################################################## ######
** Starting Zabbix agent
Starting Zabbix Agent [XXX--217]. Zabbix 4.4.0 (revision cfac660).
Press Ctrl+C to exit.
6:20191030:073306.533 Starting Zabbix Agent [XXX--217]. Zabbix 4.4.0 (revision cfac660).
6:20191030:073306.533 **** Enabled features ****
6:20191030:073306.533 IPv6 support: YES
6:20191030:073306.533 TLS support: YES
6:20191030:073306.533 **************************
6:20191030:073306.533 using configuration file: /etc/zabbix/zabbix_agentd.conf
6:20191030:073306.533 agent #0 started [main process]
69:20191030:073306.534 agent #1 started [collector]
70:20191030:073306.534 agent #2 started[listener #1]
71:20191030:073306.534 agent #3 started[listener #2]
73:20191030:073306.534 agent #5 started [active checks #1]
72:20191030:073306.535 agent #4 started[listener #3]
73:20191030:073306.865 active check configuration update from [XXX-253:10051] started to fail (TCP successful, cannot establish TLS to [[XXX-253]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/record/rec_layer_s3.c line 1544: error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac: SSL alert number 20: TLS read fatal alert "bad record mac")
70:20191030:073310.379 failed to accept an incoming connection: from 192.168.10.233: unencrypted connections are not allowed
73:20191030:073607.924 active check configuration update from [XXX-253:10051] is working again
71:20191030:073652.785 failed to accept an incoming connection: from 192.168.10.233: TLS handshake set result code to 1: file ssl/record/ssl3_record.c line 677: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac: TLS write fatal alert "bad record mac"
При этом в web-консоли Zabbix, все индикаторы "зеленые"
На этом же сервере установлен Zabbix прокси 4.2 c шифрованием PSK, ошибок шифрования в нем нет.
Comment