Ad Widget

Collapse

Web Monitor with SSL Certificate - Zabbix 3.4

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • lpossamai
    Senior Member
    • Jun 2018
    • 119
    #1

    Web Monitor with SSL Certificate - Zabbix 3.4

    Hi all,

    I am trying to setup a Web Monitor for my API. It is a HTTPS connection which requires an SSL certificate.

    Using the curl command, I do it this way:
    Code:
    curl --cert /etc/zabbix/certs/cert_prod.pem https://api.example.com/Ping/1.1
    The output of that command will be in XML format:
    Code:
    <?xml version="1.0" encoding="UTF-8"?><ping><service name="FBcheckOnline" status="down"/><service name="APICheckOn" status="up"/></ping>
    Here is how I am trying to do it using the Web Scenario feature:

    1. Setting up the Web Scenario:
    Click image for larger version Name: Screenshot from 2018-06-15 13-19-13.png Views: 1 Size: 188.1 KB ID: 360409

    2. Setting ut the Authentication part:
    Click image for larger version Name: Screenshot from 2018-06-15 13-19-22.png Views: 1 Size: 19.0 KB ID: 360410

    3. Setting up the Steps:
    Click image for larger version Name: Screenshot from 2018-06-15 13-19-31.png Views: 1 Size: 152.6 KB ID: 360411


    The error that I get from the check is:
    Code:
    Step "Services" [1 of 1] failed: SSL connect error: NSS: client certificate not found: /usr/share/zabbix/ssl/certs/cert_prod.pem
    What am I doing wrong?
    Cheers


    EDIT 1:

    I had the certificate in the wrong directory. Fixed it and now I am getting the following error:
    Code:
    failed: Problem with the local SSL certificate: unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
    Last edited by lpossamai; 15-06-2018, 03:30.
    Tags: error, web monitor, web scenario, zabbix
    • kernbug
      Senior Member
      • Feb 2013
      • 330
      #2
      Originally posted by lpossamai
      Hi all,

      I had the certificate in the wrong directory. Fixed it and now I am getting the following error:
      Code:
      failed: Problem with the local SSL certificate: unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
      Hello

      Did you set the Zabbix user's permissions on the file /usr/share/zabbix/ssl/certs/cert_prod.pem including ssl and cert directory?

        Comment

        • jan.garaj
          Senior Member
          Zabbix Certified Specialist
          • Jan 2010
          • 506
          #3
          I guess you need:
          SSL certificate file
          AND
          SSL key file

          And both of them must be in PEM format. It looks like you have a problem with format of the key. Maybe it's encrypted key (then use also SSL key password).

          9. Web monitoring
          https://www.zabbix.com/documentation/3.4/manual/web_monitoring
          Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
          My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

            Comment

            • lpossamai
              Senior Member
              • Jun 2018
              • 119
              #4
              Originally posted by jan.garaj
              I guess you need:
              SSL certificate file
              AND
              SSL key file

              And both of them must be in PEM format. It looks like you have a problem with format of the key. Maybe it's encrypted key (then use also SSL key password).

              https://www.zabbix.com/documentation...web_monitoring
              I am now trying with the SSL Key and Cert, as follow (It works when using Curl directly):
              Code:
               
 curl --cert /etc/zabbix/certs/cert_prod.pem --key /etc/zabbix/certs/cert_key.key https://api.example.com/Ping/1.1
              Getting the same error though:
              Code:
               
 failed: Problem with the local SSL certificate: unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)

                Comment

                • lpossamai
                  Senior Member
                  • Jun 2018
                  • 119
                  #5
                  Originally posted by kernbug
                  Hello

                  Did you set the Zabbix user's permissions on the file /usr/share/zabbix/ssl/certs/cert_prod.pem including ssl and cert directory?
                  Yup.. permissions look fine.

                    Comment

                    • jan.garaj
                      Senior Member
                      Zabbix Certified Specialist
                      • Jan 2010
                      • 506
                      #6
                      Inspect your cert/key:
                      Code:
                      openssl x509 -in <pem cert/key> -noout -text
                      Devops Monitoring Expert advice: Dockerize/automate/monitor all the things.
                      My DevOps stack: Docker / Kubernetes / Mesos / ECS / Terraform / Elasticsearch / Zabbix / Grafana / Puppet / Ansible / Vagrant

                        Comment

                        • lpossamai
                          Senior Member
                          • Jun 2018
                          • 119
                          #7
                          Originally posted by jan.garaj
                          Inspect your cert/key:
                          Code:
                          openssl x509 -in <pem cert/key> -noout -text
                          For the cert it looks okay.

                          When doing it for the key I get the following error:
                          Code:
                          unable to load certificate
139628354000784:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

                          EDIT 1:

                          Getting another error now:
                          Code:
                          failed: Problem with the local SSL certificate: unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
                          However, again... with the CURL command, the key/cert works.
                          Code:
                          curl --cert /usr/share/zabbix/ssl/certs/cert_prod.pem --key /usr/share/zabbix/ssl/keys/key_prod.key -s https://api.example.com/Ping/1.1
                          Last edited by lpossamai; 17-06-2018, 22:27.

                            Comment

                            • lpossamai
                              Senior Member
                              • Jun 2018
                              • 119
                              #8
                              Hi all,

                              I was able to get it working just by changing the zabbix_server.conf:

                              from:
                              Code:
                              SSLKeyLocation=${datadir}zabbix/ssl/keys
                              to:
                              Code:
                              SSLKeyLocation=/usr/share/zabbix/ssl/keys
                              It's working fine! Thanks!

                                Comment

                                Previous template Next
                                Working...