Ad Widget

Collapse

Configure DB connection with TLS encryption

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • zaicnupagadi
    Member
    Zabbix Certified SpecialistZabbix Certified Professional
    • Dec 2010
    • 73
    #1

    Configure DB connection with TLS encryption

    Hey everyone,

    For severals hours I am trying to configure this TLS connection, I am stuck on the frontend installation screen, do not know which certificates and what paths need to provide in:

    TLS key file
    TLS certificate file
    TLS certificate authority file

    I have generated crt and key files from the *pem files (after running mysql_ssl_rsa_setup),but now I am not sure if those are the right files, maybe I should use the pem files instead?

    Tried with the files on zabbix server and path like /home/etc/etc/, but later saw here https://blog.zabbix.com/whats-new-in...5-0-lts/10714/ that path is c:\ so copied it locally to the PC I am runnig configuration on - no luck.

    Appreciate any help on this,
    Cheers,
    J
    Tags: None
    • zaicnupagadi
      Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2010
      • 73
      #2
      I think I know how to deal with it, after digging a bit I've noticed that at the end on mysql.conf there is a place for 3 certificates - 3 x pem file - zbx frontend has the same entries.

      The quesiton now - mysql provides *.pem files - can those be pems or shallI extract crt/key from them? What path shall be provided during frontend configuration? My local windows c:\bla\bla path or the actual ubuntu path where zabbix is installed? I feel that this is the part I am missing in the documentation.

        Comment

        • zaicnupagadi
          Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • Dec 2010
          • 73
          #3
          Tested it, does not work with certs from /var/lib/mysql, tried with server* ones and client* ones, tried with *pem ones and converted it to *crt and *key and tried, tried to give paths from my PC, a well as from Linux - nothing. also created user zabbix on the DB with 'require x509'. still nothing - all the time I am getting:

          Details Cannot connect to the database.
          • Database error code 2002
          EDIT: Workbech works great with these certificates, I needed to use the cliet ones - despite providing the same configuration:

          Click image for larger version Name: 2020-08-13_23h57_06.png Views: 1674 Size: 188.3 KB ID: 407019

          Click image for larger version Name: 2020-08-13_23h57_46.png Views: 1717 Size: 29.9 KB ID: 407020
          Click image for larger version Name: 2020-08-13_23h58_02.png Views: 1665 Size: 12.6 KB ID: 407021

          Any help on how to configure this TLS connection greatly appreciated.
          Last edited by zaicnupagadi; 14-08-2020, 00:00.

            Comment

            • Atsushi
              Senior Member
              • Aug 2013
              • 2028
              #4
              I think Zabbix server can't access C drive, so try putting the certificate on Zabbix server's local filesystem.

                Comment

                • zaicnupagadi
                  #4.1
                  zaicnupagadi commented
                  16-08-2020, 18:01
                  Editing a comment
                  Well I thought the same, but when connectig with "Workbench" I provide my "c" location, and maybe moreover - that kind of path was provided on the zabbix blog site - so I feel it is more than confusing now. I was watching https://www.youtube.com/watch?v=AgyO-T6djek with the part about configuring TLS - nothing worked out - after configuring it that was I was getting error that "MySQL server has gone." (fishing I guess ^^).

                  AS for this moment there is not a single clue in my head what shall be done to enable this TLS.
                • zaicnupagadi
                  Member
                  Zabbix Certified SpecialistZabbix Certified Professional
                  • Dec 2010
                  • 73
                  #5
                  Most probably the issue is this:

                  1294:20200816:200812.472 [Z3001] connection to database 'zabbix' failed: [2026] SSL connection error: SSL_CTX_set_default_verify_paths failed
                  1294:20200816:200812.472 database is down: reconnecting in 10 seconds

                  As I got this in my zabbix_server.log

                  My configuration is (zabbix_server.conf):

                  DBTLSConnect=verify_full
                  DBTLSCAFile='/home/zabadmin/ssl2/ca.pem'
                  DBTLSCertFile='/home/zabadmin/ssl2/client-cert.pem'
                  DBTLSKeyFile='/home/zabadmin/ssl2/client-key.pem'

                  Searching through the Internet and there are 1000 reasons why it might be like this, hate opensource in moments like this.






                    Comment

                    • lagavazzz
                      Junior Member
                      • Apr 2019
                      • 21
                      #6
                      Hello,

                      Usually the SSL_CTX_set_default_verify_paths failed error occurs if paths to any of the certificate files are invalid, missing or have incorrect permissions.

                      In you case I suspect the issue might be exactly this and either the permissions on are too restrictive or the file path is incorrect.

                        Comment

                        • zaicnupagadi
                          Member
                          Zabbix Certified SpecialistZabbix Certified Professional
                          • Dec 2010
                          • 73
                          #7
                          Seems it works for the zabbix_server, what had to be done was to change DBTLSConnect to "required", I am not specially happy with that but still - at least works for the server. But cannot do the same for the UI - has anyone tried to configure this? Still no matter what I am getting "Database error code 2002".

                            Comment

                            • mix091
                              Junior Member
                              • Dec 2020
                              • 1
                              #8
                              Hello,
                              Have you resolved this problem? I have the same issue...
                              I also configure zabbix_server over tls with DBTLSConnect "required" successful, but I can't do this with zabbix-frotend Each attempts ends with "Database error code 2002".

                                Comment

                                • sabsebolo
                                  Junior Member
                                  • Jun 2025
                                  • 7
                                  #9
                                  I am also encountering the same problem. Did you find any solution for this?

                                    Comment

                                    Previous template Next
                                    Working...