Ad Widget

**ZapDragon** · 17-02-2020, 23:15

With even more tinkering, I have not managed to get anywhere.

Does anyone have any suggestions?

**Hamardaban** · 18-02-2020, 05:42

It is not necessary that the error indicates a problem with certificates - problems can be in different ways... For example, in the openssl version or supported ciphers (for more information, see the documentation and support). Try starting on the PSK first.

**tim.mooney** · 19-02-2020, 02:21

Originally posted by ZapDragon

Code:

25324:20200203:122021.277 failed to accept an incoming connection: from x.x.x.x: unable to get local issuer certificate: TLS handshake set result code to 1: file ../ssl/statem/statem_srvr.c line 2931: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed: TLS write fatal alert "unknown CA"
25324:20200203:122022.726 failed to accept an incoming connection: from x.x.x.x: unable to get local issuer certificate: TLS handshake set result code to 1: file ../ssl/statem/statem_srvr.c line 2931: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed: TLS write fatal alert "unknown CA"
25324:20200203:122024.171 failed to accept an incoming connection: from x.x.x.x: unable to get local issuer certificate: TLS handshake set result code to 1: file ../ssl/statem/statem_srvr.c line 2931: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed: TLS write fatal alert "unknown CA"

I have downloaded and re-downloaded the CA cert countless times to no avail.

Ok, well, what did you do with the CA after you downloaded it?

What OS and version is your Zabbix server, and your Zabbix proxy? Assuming a relatively modern Linux system, does that system use the ca-certificates package? A lot of the most popular Linux vendors have switched to using that for managing their CA trust.

If your OS does use the ca-certificates package to manage the list of trusted CAs, did you follow the steps from your vendor for installing a new CA, including the 'update-ca-certificates' or 'update-ca-trust' (depending on your vendor) to rebuild the trusted bundle?

Finally, are you certain you're downloading the correct CA? If it's a GlobalSign cert generated by AlphaSSL, there are probably intermediate CA certificates involved. Are you getting the correct one?

**ZapDragon** · 19-02-2020, 03:52

Thank you for your response Tim.

Originally posted by tim.mooney

Ok, well, what did you do with the CA after you downloaded it?

I put it into a file called cert.ca in my Certs directory and put the path to it in the configuration file for both the Server and Proxy.

Originally posted by tim.mooney

What OS and version is your Zabbix server, and your Zabbix proxy? Assuming a relatively modern Linux system, does that system use the ca-certificates package? A lot of the most popular Linux vendors have switched to using that for managing their CA trust.

Both Servers are running Debian 10. If there was a change to how CAs were handled, I was unaware.

Originally posted by tim.mooney

If your OS does use the ca-certificates package to manage the list of trusted CAs, did you follow the steps from your vendor for installing a new CA, including the 'update-ca-certificates' or 'update-ca-trust' (depending on your vendor) to rebuild the trusted bundle?

My vendor doesnt seem to provide steps beyond "copy paste" into a text editor for installing the certificates. I also have never really had to install CA certificates before now. I assumed it was the same process for Crt and Key certs.
This is where I got my CA Certificates for my vendor Under R1

I also stumbled across this one and had the same results.

Originally posted by tim.mooney

Finally, are you certain you're downloading the correct CA? If it's a GlobalSign cert generated by AlphaSSL, there are probably intermediate CA certificates involved. Are you getting the correct one?

I am 80% certain I am. I have double and triple checked to be sure, as I can be.

**tim.mooney** · 19-02-2020, 23:47

A few years ago, there wasn't a well-defined procedure for managing CAs on different Linux distros. There were sometimes large differences in how you added the CA, and it also depended on whether the software was built to use (linked against) openssl, GnuTLS, NSS, etc.

These days, it seems like most distributions are converging on the 'ca-certificates' package, and a tool, often called update-ca-certificates, that rebuilds the combined file from separate CA files that have been installed in a couple of places on the system. For example, for Debian, see this documentation .

If you run the following two commands and report the output back here, it might help narrow down where the problem is.

First on the wildcard certificate, run the following command to report the exact issuer for your wildcard:

Code:

openssl x509 -in [I]your_wildcard_cert_file_here[/I] -noout -issuer

Next, on the CA certificate you downloaded, run the following command to report both its subject and its issuer:

Code:

openssl x509 -in [I]your_CA_certificate_file_here[/I] -noout -issuer -subject

Remember that both the certificate and CA are public, so there's no security risk for sharing this particular information. It's the private key that needs to be carefully protected.

If you send along the results from those two commands, it may help point which direction to investigate further.

Ad Widget

Unknown CA errors between Zabbix Proxy and remote Zabbix Server

Unknown CA errors between Zabbix Proxy and remote Zabbix Server

Comment

Comment

Comment

Comment

Comment