Hi there
I have been using a Zabbix setup for some years now with great success. In this particular instance, I've hit a problem which I can't get round. On August 17th, the CA certificate for my internal CA expired. I had already renewed it and handled a few certificate renewals for other services, but forgot about Zabbix.
I have a Zabbix Proxy connected to Zabbix Server using TLS encryption. This has worked flawlessly all this time, but when the CA certificate expired on the 17th, it stopped working (which is expected). I've renewed the certificate for the proxy and installed it, along with the renewed CA certificate but the encryption is no longer working.
Setup details:
Zabbix server: 6.4.6 - running in Docker (based on the ubuntu container variant).
Zabbix proxy: 6.4.6 - running on Docker also, again based on ubuntu.
Error seen in logs:
All certificates and the CA itself are generated and managed by pfSense (2.6.0), as they always have been in this Zabbix environment.
Checking the certificate against the CA cert on the CLI, things look ok:
OpenSSL can dump the certificate details and doesn't seem to see any issues, though I do note the the certificate does fail to verify on Ubuntu 22.04 with OpenSSL 3.0.2 so as the containers are based on Ubuntu 22.04, I'm not sure if this is related:
I am unsure how to proceed - I've even tried generating a new certificate but it produces the same error.
Does anyone have any ideas on how to proceed? Please let me know any other details needed to debug this.
Many thanks!
I have been using a Zabbix setup for some years now with great success. In this particular instance, I've hit a problem which I can't get round. On August 17th, the CA certificate for my internal CA expired. I had already renewed it and handled a few certificate renewals for other services, but forgot about Zabbix.
I have a Zabbix Proxy connected to Zabbix Server using TLS encryption. This has worked flawlessly all this time, but when the CA certificate expired on the 17th, it stopped working (which is expected). I've renewed the certificate for the proxy and installed it, along with the renewed CA certificate but the encryption is no longer working.
Setup details:
Zabbix server: 6.4.6 - running in Docker (based on the ubuntu container variant).
Zabbix proxy: 6.4.6 - running on Docker also, again based on ubuntu.
Error seen in logs:
Code:
Unable to connect to [zabbix.example.com]:10051 [TCP successful, cannot establish TLS to [[zabbix.example.com]:10051]: certificate signature failure: SSL_connect() set result code to SSL_ERROR_SSL: file crypto/rsa/rsa_pk1.c line 79 func RSA_padding_check_PKCS1_type_1: error:0200008A:rsa routines::invalid padding file crypto/rsa/rsa_ossl.c line 705 func rsa_ossl_public_decrypt: error:02000072:rsa routines::padding check failed file providers/implementations/signature/rsa_sig.c line 817 func rsa_verify: error:1C880004:Provider routines::RSA lib file]
Checking the certificate against the CA cert on the CLI, things look ok:
Code:
$ openssl verify -CAfile my-ca-renewed.crt Zabbix+Proxy+Certificate.crt Zabbix+Proxy+Certificate.crt: OK
Code:
$ openssl verify -CAfile my-ca-renewed.crt zabbix-proxy.crt CN = Zabbix Proxy SSL Cert, C = GB, ST = London, L = London, O = Zabbix error 30 at 0 depth lookup: authority and subject key identifier mismatch error zabbix-proxy.crt: verification failed
Does anyone have any ideas on how to proceed? Please let me know any other details needed to debug this.
Many thanks!
Comment