You monitor a site using a Web Scenario?

I've got a few Web Scenarios hitting SSL sites with self signed certificates. I was not aware Zabbix tried to validate the certificate path. The Zabbix tests work out of the box for me. Running curl from the command line obviously results in the same error you described as I never loaded the CA.

Can you provide some more information on what is actually configured in Zabbix?

While waiting for a helpful answer I would probably try to add the CA to the ca-bundle.crt on the server.

Zabbix configuration

It is a website trigger with the expression:
{Website_Monitor:web.test.fail[SITE_Status_Page].sum(#7)}>3
And URL:

The actual monitor has only one step:

expecting the page to return 200 or 210 and contain the work GREEN

This is one of many web monitors we have many if not most running SSL. The site is running WebSphere and IIS.

I'm thinking I might add the certificate to the "bundle" on the server. I'm not sure how curl/curllib would react to that.

Here is the full output of "openssl s_client -connect express.rwsol.com:443"

depth=0 /C=US/ST=Wisconsin/L=Waukesha/O=Connecture, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=express.rwsol.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Wisconsin/L=Waukesha/O=Connecture, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=express.rwsol.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Wisconsin/L=Waukesha/O=Connecture, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=express.rwsol.com verify error:num=21:unable to verify the first certificate verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=Wisconsin/L=Waukesha/O=Connecture, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=express.rwsol.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgIQZkdxU4VHBi22/NLKI+D0ADANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbm MuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZX JtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMD EvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRz MwHhcNMTAxMTAx
MDAwMDAwWhcNMTExMjMxMjM1OTU5WjCBrDELMAkGA1UEBhMCVV MxEjAQBgNVBAgT
CVdpc2NvbnNpbjERMA8GA1UEBxQIV2F1a2VzaGExGDAWBgNVBA oUD0Nvbm5lY3R1
cmUsIEluYzELMAkGA1UECxQCSVQxMzAxBgNVBAsUKlRlcm1zIG 9mIHVzZSBhdCB3
d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEaMBgGA1UEAxQRZX hwcmVzcy5yd3Nv
bC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxPy9 Vjf+tgOVKKNV1e
dD8CBbG0zJaECwwYU2F/sCaVide18Cia1oGokMD9c1HI8zxkr02JnuB/waV5eSca
odJ3RMJj4Wyy1gj8UizV5lGTElJiZscbFxwGLaz5XzSFHb5o54 xqjvShGCXnxM0J
Q+sUXwBCDcTYhtgRQAPknS2ZAgMBAAGjggHRMIIBzTAJBgNVHR MEAjAAMAsGA1Ud
DwQEAwIFoDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2 VjdXJlLUczLWNy
bC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMEQGA1UdIA Q9MDswOQYLYIZI
AYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudm VyaXNpZ24uY29t
L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHw YDVR0jBBgwFoAU
DURcFlNEwYJ+HSCrJfQBY9i+eaUwdgYIKwYBBQUHAQEEajBoMC QGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQAYIKwYBBQUHMA KGNGh0dHA6Ly9T
VlJTZWN1cmUtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cm VHMy5jZXIwbgYI
KwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHz AHBgUrDgMCGgQU
S2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udm VyaXNpZ24uY29t
L3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBkFabUxI NtVHRryj41mdU7
hHLSryW2wxo+HTeO4akaWGlVrYmCtxqolXhxclOYL+0W+TS8ak/+FjcZAEZl05nZ
/srWOEW2I0RrMghh0N8dDlpdoJSFWY2S2JLvKcrxNgqpH5t4ExU xxZTqYzbDoU6n
QXW7h3sGA9V+7f2tA8E3MOAQt3CnYUdQO0CUo6cKc2XG3n/srgmJxkRBBQEX/pXE
az++GNVQGla5uLaWoiKdhgAJGL2E1b4cF4fPDskwe3z6jCLH+q LtSfqQgpDLT6i0
oiVETQd0AMkgC7H2mBkUL/2Fg59fJE8Fg0DMkSY6yM8OSJM5tTzbhZpaA6JeD6jO
-----END CERTIFICATE-----
subject=/C=US/ST=Wisconsin/L=Waukesha/O=Connecture, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=express.rwsol.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 1498 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 6B66A407A2B0146FEB5276FFDC6B78C406E18E243DCB7C36AF 17F405F7C07E7C
Session-ID-ctx:
Master-Key: B4E79C35ED62B921E3EDEF1309EEB536BD98A1087B0E64940B 74A43434F238BB2F112AE6A23A95492B22BFB1F2701759
Key-Arg : None
Start Time: 1302015075
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE

"VeriSign Class 3 Secure Server CA - G3" is not a root certificate and your server does not send the certificate chain. Hence the verification fails. In your example the sslclient is connected though, albeit with a warning.

If you believe that the certificate chain is the problem you could have your server send the intermediate certificate (http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer) as well.

Having said that, I don't think Zabbix tries to validate the certificate chain. I am successfully monitoring SSL web servers with self signed certificates. They warn as well when I connect using openssl or curl. Your scenario is somewhat different of course.

I'm curious why this one site of the dozens we monitor is having issues. A number of the using wildcard certs which usually causes problems. I suspect this cert was formed or installed in some idiosyncratic way. If I find out what is wrong I will post to this thread.

Fixed Cert. Curl Happy. Zabbix not!

As you can see below curl is now fine with the certificate as updated. My web site monitor is still getting "Fail - Error: SSL connect error" Not the most useful error message and the server log file is not any better:
12973:20110408:133530.979 Web scenario step [WPIFP_Status_PageisplaySystemStatus] error: error doing curl_easy_perform: SSL connect error


root@ctsms2:~# curl https://express.rwsol.com/roi/servle...yAction=Status
<HTML><HEAD><TITLE>Status</TITLE></HEAD><BODY><H1>Status: GREEN</H1></BODY></HTML>
root@ctsms2:~#
root@ctsms2:~# openssl s_client -connect express.rwsol.com:443 < /dev/null 2>&1
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=Wisconsin/L=Waukesha/O=Connecture, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=express.rwsol.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgIQZkdxU4VHBi22/NLKI+D0ADANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbm MuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZX JtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMD EvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRz MwHhcNMTAxMTAx
MDAwMDAwWhcNMTExMjMxMjM1OTU5WjCBrDELMAkGA1UEBhMCVV MxEjAQBgNVBAgT
CVdpc2NvbnNpbjERMA8GA1UEBxQIV2F1a2VzaGExGDAWBgNVBA oUD0Nvbm5lY3R1
cmUsIEluYzELMAkGA1UECxQCSVQxMzAxBgNVBAsUKlRlcm1zIG 9mIHVzZSBhdCB3
d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEaMBgGA1UEAxQRZX hwcmVzcy5yd3Nv
bC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALxPy9 Vjf+tgOVKKNV1e
dD8CBbG0zJaECwwYU2F/sCaVide18Cia1oGokMD9c1HI8zxkr02JnuB/waV5eSca
odJ3RMJj4Wyy1gj8UizV5lGTElJiZscbFxwGLaz5XzSFHb5o54 xqjvShGCXnxM0J
Q+sUXwBCDcTYhtgRQAPknS2ZAgMBAAGjggHRMIIBzTAJBgNVHR MEAjAAMAsGA1Ud
DwQEAwIFoDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2 VjdXJlLUczLWNy
bC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMEQGA1UdIA Q9MDswOQYLYIZI
AYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudm VyaXNpZ24uY29t
L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHw YDVR0jBBgwFoAU
DURcFlNEwYJ+HSCrJfQBY9i+eaUwdgYIKwYBBQUHAQEEajBoMC QGCCsGAQUFBzAB
hhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQAYIKwYBBQUHMA KGNGh0dHA6Ly9T
VlJTZWN1cmUtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cm VHMy5jZXIwbgYI
KwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHz AHBgUrDgMCGgQU
S2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udm VyaXNpZ24uY29t
L3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBkFabUxI NtVHRryj41mdU7
hHLSryW2wxo+HTeO4akaWGlVrYmCtxqolXhxclOYL+0W+TS8ak/+FjcZAEZl05nZ
/srWOEW2I0RrMghh0N8dDlpdoJSFWY2S2JLvKcrxNgqpH5t4ExU xxZTqYzbDoU6n
QXW7h3sGA9V+7f2tA8E3MOAQt3CnYUdQO0CUo6cKc2XG3n/srgmJxkRBBQEX/pXE
az++GNVQGla5uLaWoiKdhgAJGL2E1b4cF4fPDskwe3z6jCLH+q LtSfqQgpDLT6i0
oiVETQd0AMkgC7H2mBkUL/2Fg59fJE8Fg0DMkSY6yM8OSJM5tTzbhZpaA6JeD6jO
-----END CERTIFICATE-----
subject=/C=US/ST=Wisconsin/L=Waukesha/O=Connecture, Inc/OU=IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=express.rwsol.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4260 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 1E7D83B4D48052683952D1C62A4BCFA29E9E06B88787185035 4E438307ABB481
Session-ID-ctx:
Master-Key: 0B404878DB94DB0D78E7B99D0BF5868FCA6C68E53F3D3FC01E 0C2CBC3FD8CFF59AC306148BAF61BE6B0E4C5F0913B92C
Key-Arg : None
Start Time: 1302286229
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
root@ctsms2:~#

Moving this to problem forum

I am moving this to the problem forum since I now believe this is a Zabbix problem and not my configuration.