Hey Folks,
Looking for some guidance on certificates for Zabbix Agent (2) encryption. A little bit about our environment:
Zabbix Server: 6.0.23 (HA Enabled)
Zabbix DB: MySQL 8.0 (HA Enabled)
Zabbix Agent 2: 6.2.9 (planning to move to 6.4.8)
Our Zabbix server environment implements native high availability in Active/Passive (only method supported). We have two servers running with the hostnames zbx01.example.com and zbx02.example.com. Both servers have full web front ends and processing capabilities. Both servers connect to the backend database (Azure-hosted) with TLSv1.2 enforced at Zabbix and the DB level. The DB is Active/Passive, with the passive node being a hot spare. All the Zabbix Servers run RedHat 9.2.
The Zabbix Agent exclusively monitors custom appliances deployed globally. Zabbix Agent implements most of the default Linux checks (active), but also several templates to monitor custom applications (performance, errors, etc). Because these appliances live globally and in client environments, (and most clients only implement 1-2 of them in general/region), we aren't utilizing the Zabbix Proxy. Instead we deploy these servers with PSK encryption. We're looking to move away from PSK encryption and into certificate encryption. We intermittently have issues with PSK and how it handles parsing. It randomly encounters unexpected EOL, leading to script execution failures and monitor metrics dropping for a minute. We're hoping certificates can solve it, and help us automate encryption a little bit more.
We don't want to assign a wildcard certificate to the servers, we'd rather sign the certs with the proper hostnames. I've seen online that you can combine multiple certifiicates into a single file and zabbix will use it. However, it was in a slightly different context. If we generate two machine keys and have the certificates signed for zbx01.example.com and zbx02.example.com, assign the keys and certificates to the respective Zabbix hosts, then concat the CA file on the agents, will this work properly if the agent fails over to a new active node?
Cheers,
AV636_ZBX
Looking for some guidance on certificates for Zabbix Agent (2) encryption. A little bit about our environment:
Zabbix Server: 6.0.23 (HA Enabled)
Zabbix DB: MySQL 8.0 (HA Enabled)
Zabbix Agent 2: 6.2.9 (planning to move to 6.4.8)
Our Zabbix server environment implements native high availability in Active/Passive (only method supported). We have two servers running with the hostnames zbx01.example.com and zbx02.example.com. Both servers have full web front ends and processing capabilities. Both servers connect to the backend database (Azure-hosted) with TLSv1.2 enforced at Zabbix and the DB level. The DB is Active/Passive, with the passive node being a hot spare. All the Zabbix Servers run RedHat 9.2.
The Zabbix Agent exclusively monitors custom appliances deployed globally. Zabbix Agent implements most of the default Linux checks (active), but also several templates to monitor custom applications (performance, errors, etc). Because these appliances live globally and in client environments, (and most clients only implement 1-2 of them in general/region), we aren't utilizing the Zabbix Proxy. Instead we deploy these servers with PSK encryption. We're looking to move away from PSK encryption and into certificate encryption. We intermittently have issues with PSK and how it handles parsing. It randomly encounters unexpected EOL, leading to script execution failures and monitor metrics dropping for a minute. We're hoping certificates can solve it, and help us automate encryption a little bit more.
We don't want to assign a wildcard certificate to the servers, we'd rather sign the certs with the proper hostnames. I've seen online that you can combine multiple certifiicates into a single file and zabbix will use it. However, it was in a slightly different context. If we generate two machine keys and have the certificates signed for zbx01.example.com and zbx02.example.com, assign the keys and certificates to the respective Zabbix hosts, then concat the CA file on the agents, will this work properly if the agent fails over to a new active node?
Cheers,
AV636_ZBX