Ad Widget

**kerya** · 05-02-2024, 18:48

Originally posted by petr.114

Hello, i have deployed certificate monitoring few days ago, all hosts work well, except one, which is reporting "failed to verify certificate: x509: certificate signed by unknown authority".
This is really weird, since i monitor other host signed by the same authority, without any issue. Only difference i found, is that this host has two "subject alternative name".
I wonder if that could be the issue.

Cert: Valid from: 2023-05-12 23:57:24
Cert: Expires on: 2023-08-10 23:57:23
Cert: Issuer: CN=R3,O=Let's Encrypt,C=US
Cert: Subject: CN=host.example.com
Cert: Subject alternative name: ["host2.example.com","host.example.com"]
Cert: Last validation status: failed to verify certificate: x509: certificate signed by unknown authority
Cert: Validation result: invalid

I have the same issue.

openssl s_client -connect <target_site>:443 on both zabbix server and agent shows:

verify error:num=20:unable to get local issuer certificate
verify return:1

verify error:num=21:unable to verify the first certificate
verify return:1

Does anyone have any solution?

**GRIFFCOMM** · 26-02-2024, 01:58

How do we check more than one domain for a certificate?

**fveegaert** · 29-02-2024, 20:24

Originally posted by GRIFFCOMM

How do we check more than one domain for a certificate?

You can create one item per domain

We’ll be back soon!

https://www.zabbix.com/forum/zabbix-suggestions-and-feedback/428309-discussion-thread-for-official-zabbix-template-tls-ssl-certificates-monitoring?p=463574#post463574

**petr.114** · 15-03-2024, 13:18

Originally posted by kerya

I have the same issue.

openssl s_client -connect <target_site>:443 on both zabbix server and agent shows:

verify error:num=20:unable to get local issuer certificate
verify return:1

verify error:num=21:unable to verify the first certificate
verify return:1

Does anyone have any solution?

I have found the root cause of the issue.

For me, it was caused by not using the fullchain certificate for the website. Browsers can usually deal with it, but the Zabbix implementation (think it uses openssl) needs to see the full chain of certification authorities.

If you don't use the fullchain certificate, Zabbix detects only your cert with it's certification authority: example.com -> R3
After i have used the fullchain, it can detect all the authorities in the chain: example.com -> R3 -> ISRG Root X1 -> DST Root CA X3

**marco_a** · 18-06-2024, 11:41

Hi,

I'm trying to test my zabbix front-end certificate but it gives me this error:

ZBX_NOTSUPPORTED] [Cannot fetch data: remote error: tls: handshake failure.]

If i try to test the website using ' openssl s_client -connect site:443 -trace' I get this error:

Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 4
ServerHelloDone, Length=0

Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 7
Certificate, Length=3
certificate_list, length=0

Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 37
ClientKeyExchange, Length=33
KeyExchangeAlgorithm=ECDHE
ecdh_Yc (len=32): BE39F92E2D03AEB69F4E307A8A4100CA533B566E298688B605 995E1869F5A94A

Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ChangeCipherSpec (20)
Length = 1
change_cipher_spec (1)

Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Handshake (22)
Length = 40
Finished, Length=12
verify_data (len=12): C82FBC4E7FE5C430DA255D0A

Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 2
Level=fatal(2), description=handshake failure(40)

80CB64E5C57F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40

Any suggestions ?
Thanks
Marco

**SzymonUnion** · 19-06-2024, 21:33

Hi,

for one SSL (one VM) it is working fine. I have one domain and many VM's with SSL's installed, signed by our CA (Root&Internediate).
When I added webcertificate template to 2nd VM and configured macro with name/ip/port I got later info that Unsupported item key...

What am I doing wrong ?

Thanks in advance!

**yurtesen** · 20-09-2024, 07:10

Documentation says certificate validation result can be `valid-but-self-signed`

The certificate validation result. Possible values: valid/invalid/valid-but-self-signed

But it seems that when the certificate is self-signed, it returns `invalid` unless the CA cert is added as authoritative.

We’ll be back soon!

https://www.zabbix.com/forum/zabbix-suggestions-and-feedback/428309-discussion-thread-for-official-zabbix-template-tls-ssl-certificates-monitoring?p=436726#post436726

and one gets:

"result":{"value":"invalid","message":"failed to verify certificate: x509: certificate signed by unknown authority"}

Shouldn't it return `valid-but-self-signed` instead? as cert is fine otherwise but the CA can't be verified?

**yurtesen** · 20-09-2024, 14:11

Well it will be fixed soon

Loading...

https://support.zabbix.com/browse/ZBX-25272

**cheneric** · 13-10-2025, 11:01

Originally posted by GRIFFCOMM

How do we check more than one domain for a certificate?

after V7.4 multiple values can be specified, separated by commas.
https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release /7.4

Ad Widget

Discussion thread for official Zabbix Template TLS/SSL certificates monitoring

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment