Ad Widget

Collapse

Zabbix 6.0 - Agent2 - MQTT TLS Problem

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Theo63
    Junior Member
    • Aug 2021
    • 8
    #1

    Zabbix 6.0 - Agent2 - MQTT TLS Problem

    Zabbix 6.0
    Agent2

    I am trying to connect to a Mosquitto MQTT server using tls but it's not working

    Code:
    2023/02/02 20:17:34 adding new request for key: 'mqtt.get[tls://mosquitto:8883,$SYS/broker/uptime/#,user,password]'
2023/02/02 20:17:34 created watcher task for plugin MQTT
2023/02/02 20:17:34 created configurator task for plugin MQTT
2023/02/02 20:17:34 plugin MQTT: executing configurator task
2023/02/02 20:17:34 plugin MQTT: executing watcher task
2023/02/02 20:17:34 [MQTT] creating client for [tls://mosquitto:8883]
2023/02/02 20:17:34 [MQTT] creating new subscriber on topic '$SYS/broker/uptime/#' for [tls://mosquitto:8883]
2023/02/02 20:18:04 [MQTT] cannot establish connection to [tls://mosquitto:8883]: timed out while connecting
    When I use a MQTT Client (MQTT Explorer) I can connect rhough tls without any problems.
    When I use a python script using paho-mqtt I also can connect without any problem but have to provide a link to the ca.crt present on the Mosquitto server

    Do I have to define the location of the mqtt client certificate somewhere in the zabbix_agent2.conf or /etc/zabbix/zabbix_agent2.d/plugins.d/mqtt.conf?

    Google search and even chatGPT are not able to help me to solve this problem or point me in the right direction.

    I also tried the none tls Mosquitto (:1883) and that works without any problems in zabbix.

    I'm running out of options to solve the tls problem. Please help.​
    Tags: None
    • Hamardaban
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • May 2019
      • 2713
      #2
      Perhaps this information will help:
      TLS encryption certificates can be used, by saving them in default locations. For example in ubuntu it is "/etc/ssl/certs/" directory. For TLS use "tls://" scheme
      Source of README.md - Zabbix - ZABBIX GIT
      https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/src/go/plugins/mqtt/README.md

        Comment

        • Theo63
          Junior Member
          • Aug 2021
          • 8
          #3
          Hi Hamardaban,

          Thanks for your answer!
          I did already found the info in the link and put a client certificate in that directory but no result.

          When I run an agent2 in a container, there is a ca-certificates.crt present in /etc/ssl/certs with a lot of certificates in it.
          But due to the lack of documentation its unclear to me if I should append my certificate to ca_certificates or what certificates at all.

          The logging, even at debug level, is not showing what you would expected if something was wrong. The only thing you get is a 'timeout while connecting' no matter what is wrong.
          If username or password is wrong, you get the same message.

          Using python& paho-mqtt gives a lot more information concerning errors and I wonder why the plugin is not because it's also using paho.

          Last edited by Theo63; 03-02-2023, 14:15.

            Comment

            • HarryKalahan
              Member
              • Jan 2014
              • 40
              #4
              Hello Theo63, I have exactly the same problem. With mosquito_sub I can establish the connection specifing the cafile, but with Zabbix doesn't read the crt file, although is stored in /etc/ssl/certs. I suppose it is a bug that should be corrected with this plugin. My Zabbix version is 6.2.7.

              If you find the solution I hope you can share it. Thank you very much.

                Comment

                • Theo63
                  Junior Member
                  • Aug 2021
                  • 8
                  #5
                  Hi Harry,

                  I'm not even sure if TLS is supported at all with the Go plugin.
                  We are still looking into it occasionally, but I did a quick look at the Go Plugin source and did not found anything TLS related, but I'm not sure if I looked deep enough.

                  We need TLS so we will come with a solution but hope we can do it without creating our own Go Plugin.

                  I also hope the current Go Plugin will be fixed so it will pass the proper error message as it is available in Go.

                    Comment

                    • HarryKalahan
                      Member
                      • Jan 2014
                      • 40
                      #6
                      Yes. It is probably. I tried specifying ssl:// also but the result is the same.Finaly I opened a ticket directly to Zabbix so that they can revise it.

                      Loading...
                      https://support.zabbix.com/browse/ZBX-22399


                      Let's keep in touch. Thanks in advanced.

                        Comment

                        • Theo63
                          Junior Member
                          • Aug 2021
                          • 8
                          #7
                          >Let's keep in touch. Thanks in advanced.
                          I will! Thanks for opening the Zabbix ticket.

                            Comment

                            • HarryKalahan
                              Member
                              • Jan 2014
                              • 40
                              #8
                              Good morning Theo! Zabbix have just resolved the ticket I opened in February.

                              When I have time, I'll try to review it. If you try it first, give feed back, please.

                              Thank you. Best regards!

                                Comment

                                • Theo63
                                  #8.1
                                  Theo63 commented
                                  20-06-2023, 10:08
                                  Editing a comment
                                  Good morning Harry!

                                  I saw they were working on it and it's nice they fixed the bug.
                                  Wonder why they did not test it earlier so they could have prevented this fix.

                                  As for testing, we are doing scrum so it has to be fit in upcoming sprints. Not sure when we can schedule testing.
                                  But if we do, I'll let you know.

                                  Best regards!
                                Previous template Next
                                Working...