Ad Widget

Collapse

Unable to find the certs folder for SAML config in source built Zabbix

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • akhilboby_gadgeon
    Junior Member
    • Dec 2024
    • 4
    #1

    Unable to find the certs folder for SAML config in source built Zabbix

    Zabbix version: 7.2.0
    OS: Ubuntu 22.04

    I have been trying to set up SAML for a while and the current error I can't figure out is provided below:

    You are not logged in
    • Invalid array settings: idp_cert_or_fingerprint_not_found_and_required
    I get the error right after I click the link below on the sign in page.

    Sign in with Single Sign-On (SAML)

    From the research I've done, it seems like an issue where the idp.crt certificate wasn't found.

    I am using a source built Zabbix so since the existing posts use a package installed Zabbix, they are of no use at all since those folders don't exist at all for me.

    The closest I got to finding the folder was the php conf file in the "ui" folder of source built Zabbix. This was zabbix.conf.php.example till now and I removed the ".example" from the filename.

    // Used for SAML authentication.
    // Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
    $SSO['SP_KEY'] = 'conf/certs/sp.key';
    $SSO['SP_CERT'] = 'conf/certs/sp.crt';
    $SSO['IDP_CERT'] = 'conf/certs/idp.crt';
    //$SSO['SETTINGS'] = [];

    I saw these in the file, I uncommented but since I didn't make any manual changes, I believe these are just default values and don't create any changes.
    I've put all the required certificates into this certs folder inside the ui/conf folder.

    I've also included my current SAML settings, where I am using Keycloak.


    Sidenote:
    I am also using PostgreSQL 17 with the Zabbix server and did the config for it in the main usr/local/etc/zabbix_server.conf file.

    This php file has MYSQL in it and I am at a loss with all this configuration madness.
    Attached Files
    1 Photo
    Tags: None
    • Answer selected by akhilboby_gadgeon at 02-01-2025, 10:23.
      akhilboby_gadgeon
      Junior Member
      • Dec 2024
      • 4
      This was an oversight from my part.

      It took a while understand why the certificate paths didn't work when I used the folders inside the source folder, and I could only find package installed and docker image related Zabbix installation asnwers which only contributed to my frustration on solving the problem. Here are those answers, just in case someone ends up here and are looking for those.
      We’ll be back soon!
      https://www.zabbix.com/forum/zabbix-help/425857-saml-is-not-working-properly

      SAML zabbix instructions · goauthentik/authentik · Discussion #2183
      https://github.com/goauthentik/authentik/discussions/2183
      The docs didn't work. This did. It took me many hours to figure this out, probably because this is my first real foray into SAML. Zabbix After that is setup, you'll have two options on the login sc...


      It's specifically because my Zabbix was source built.

      There is a specific step that is done when setting up the Web Frontend of Zabbix.

      You have to copy the contents inside the "ui" folder of your Zabbix source and paste them into the respective folder of the Web Server that runs on your Ubuntu system.

      Here's the snippet from the documentation:



      Copying PHP files

      Zabbix frontend is written in PHP, so to run it a PHP supported webserver is needed. Installation is done by simply copying the PHP files from the ui directory to the webserver HTML documents directory.

      Common locations of HTML documents directories for Apache web servers include:
      • /usr/local/apache2/htdocs (default directory when installing Apache from source)
      • /srv/www/htdocs (OpenSUSE, SLES)
      • /var/www/html (Debian, Ubuntu, Fedora, RHEL)

      It is suggested to use a subdirectory instead of the HTML root. To create a subdirectory and copy Zabbix frontend files into it, execute the following commands, replacing the actual directory:

      Code:
      mkdir <htdocs>/zabbix
cd ui
cp -a . <htdocs>/zabbix
      All this while, I was pasting the certs on a folder which my Zabbix installation wasn't even using. I had to personally modify the PHP file of the error message out of desperation to finally observe that even the error message itself wasn't changing when I was editing the source folder.

      Once I pasted the idp.crt into the actual folder in apache, finally things started moving forward and the error was resolved. For me, it was the path below.

      Code:
      /var/www/html/zabbix/conf/certs/idp.crt
      Last edited by akhilboby_gadgeon; 02-01-2025, 10:15.
        • Selected Answer

        Comment

        • elfaz
          Junior Member
          • Dec 2024
          • 2
          #2
          To resolve the issue where SAML authentication fails due to the certificates not being found in a source-built Zabbix installation, ensure the following steps are followed:

          1. Verify the Default Path
          • Ensure the sp.key, sp.crt, and idp.crt files are present in this directory, as specified in your zabbix.conf.php file.

          2. Place Certificates in the Default Path
          • Move the sp.key, sp.crt, and idp.crt files into the path defined in the $SSO configuration. Based on your description, this is the conf/certs/ directory.
          mv sp.key sp.crt idp.crt /usr/share/zabbix/ui/conf/certs/
          Click image for larger version Name: image.png Views: 1171 Size: 13.6 KB ID: 496562
          for example, this is my my default path for certs -> /usr/share/zabbix/ui/conf/certs/


          3. Check File Permissions
          • Ensure the Zabbix process has read access to the certificate files and their containing directory.
          chmod 640 /usr/share/zabbix/ui/conf/certs/* chown zabbix:zabbix /usr/share/zabbix/ui/conf/certs/*

          4. Verify PHP Configuration
          • If you are using a source-built Zabbix, ensure PHP is configured to work with the database you are using (PostgreSQL in this case). You might need to update the PHP settings for database connectivity.
          • Check that the Zabbix frontend PHP configuration points to the correct database.
          5. SAML Settings in Keycloak
          • Ensure the Keycloak settings match the sp.crt and idp.crt files used.
          • The metadata URL or certificates used in Keycloak should match the ones defined in your Zabbix configuration.
          6. Restart Web Server
          • Restart the web server or PHP-FPM service to ensure the changes take effect.
          sudo systemctl restart apache2

            Comment

            • akhilboby_gadgeon
              Junior Member
              • Dec 2024
              • 4
              #3
              This was an oversight from my part.

              It took a while understand why the certificate paths didn't work when I used the folders inside the source folder, and I could only find package installed and docker image related Zabbix installation asnwers which only contributed to my frustration on solving the problem. Here are those answers, just in case someone ends up here and are looking for those.
              We’ll be back soon!
              https://www.zabbix.com/forum/zabbix-help/425857-saml-is-not-working-properly

              SAML zabbix instructions · goauthentik/authentik · Discussion #2183
              https://github.com/goauthentik/authentik/discussions/2183
              The docs didn't work. This did. It took me many hours to figure this out, probably because this is my first real foray into SAML. Zabbix After that is setup, you'll have two options on the login sc...


              It's specifically because my Zabbix was source built.

              There is a specific step that is done when setting up the Web Frontend of Zabbix.

              You have to copy the contents inside the "ui" folder of your Zabbix source and paste them into the respective folder of the Web Server that runs on your Ubuntu system.

              Here's the snippet from the documentation:



              Copying PHP files

              Zabbix frontend is written in PHP, so to run it a PHP supported webserver is needed. Installation is done by simply copying the PHP files from the ui directory to the webserver HTML documents directory.

              Common locations of HTML documents directories for Apache web servers include:
              • /usr/local/apache2/htdocs (default directory when installing Apache from source)
              • /srv/www/htdocs (OpenSUSE, SLES)
              • /var/www/html (Debian, Ubuntu, Fedora, RHEL)

              It is suggested to use a subdirectory instead of the HTML root. To create a subdirectory and copy Zabbix frontend files into it, execute the following commands, replacing the actual directory:

              Code:
              mkdir <htdocs>/zabbix
cd ui
cp -a . <htdocs>/zabbix
              All this while, I was pasting the certs on a folder which my Zabbix installation wasn't even using. I had to personally modify the PHP file of the error message out of desperation to finally observe that even the error message itself wasn't changing when I was editing the source folder.

              Once I pasted the idp.crt into the actual folder in apache, finally things started moving forward and the error was resolved. For me, it was the path below.

              Code:
              /var/www/html/zabbix/conf/certs/idp.crt
              Last edited by akhilboby_gadgeon; 02-01-2025, 10:15.
                • Selected Answer

                Comment

                Previous template Next
                Working...