Hi @hermanekt,

I try follow step in your url https://github.com/initMAX/zabbix-mcp-server and this youtube https://www.youtube.com/watch?v=ZXClAcTwgys&t=285s . But when i execute command it not install MCP as per below snapshot. Is it i missing step or your file have issue?


​

You are root already, why do you use sudo?

Hi,

even without sudo still same result.

Thanks.

Fantastic project!
It’s impressive to see how, together with Claude, it manages to “understand” the data and put it into context even without being given any additional information.
I installed it in a Docker container outside the Zabbix system, so I could keep it isolated for testing, and it worked without any issues.
It uses quite a lot of tokens, but it’s truly amazing. Congrats, great job!​
Alessandro

H @hermanekt

May i know the step/procedure what need to do when to update your MCP server without lost existing configuration? Another question do i need execute this command manually as per below snapshot after install using command "sudo ./deploy/install.sh update".





Thanks and appreciate your feedback

Hi kronicklez,

Good news — the update procedure is safe and fully automated. I just expanded the README with a detailed Upgrade section that should answer exactly this:


Short answer: sudo ./deploy/install.sh update is the whole procedure. No manual commands afterwards.

Your configuration is preserved. The installer never overwrites:

• /etc/zabbix-mcp/config.toml — your Zabbix URL, API token, MCP tokens, scopes, TLS settings
• Admin portal users and sessions (/var/lib/zabbix-mcp/)
• Audit log, report templates, and any custom data

You'll see this line during the update confirming it:
✓ Config preserved at /etc/zabbix-mcp/config.toml (not overwritten)

What the update command does automatically (v1.15+):

1. Pulls the latest code from git (fast-forward, falls back to fetch + reset --hard origin/<branch> if needed) and re-executes itself from the updated script
2. Reinstalls the Python package into /opt/zabbix-mcp/venv
3. Refreshes the systemd unit and logrotate config
4. Checks file permissions and offers to fix any ownership issues
5. Runs small migrations (legacy token, report templates) and validates config.toml
6. Restarts the service via systemctl restart zabbix-mcp-server and runs an HTTP health check

PDF reporting note: by default update keeps your current reporting state. If you want to enable PDF reporting on an existing install that didn't have it, use:
sudo ./deploy/install.sh update --with-reporting

If anything goes wrong, these two commands tell you what happened:
sudo ./deploy/install.sh test-config # validate config.toml
sudo journalctl -u zabbix-mcp-server -n 50 --no-pager

Feel free to paste the output here if you hit an issue — happy to take a look.

Tomas

Hi @hermanekt ,

First of all sorry if my question look noob. Lets say currently my zabbix use https self-signed certificate and the zabbix-mcp-server i install with same server with this zabbix. So my question does zabbix-mcp-server support self-signed certificate or just import self-signed certificate from zabbix server?

Thanks and appreciate your feedback

Hi kronicklez and everyone following the thread - quick answer to your TLS question plus a wider update on what's new since the original announcement.
Self-signed certificate question (your post #8)

Short answer: yes, we support self-signed certs (and any other cert source you can hand the MCP server two PEM files for) - what we do NOT do is import a cert from your Zabbix frontend.

Two distinct cert relationships in play:

1. MCP server's OWN HTTPS - what AI clients connect to. Configure in config.toml:
[server] tls_cert_file = "/etc/zabbix-mcp/tls/fullchain.pem" tls_key_file = "/etc/zabbix-mcp/tls/privkey.pem" Self-signed works fine here for local AI clients (Claude Code CLI, Cursor, MCP Inspector, ...). They run on the same machine or LAN and you can pin the cert.

It does not work for remote AI clients brokered through a vendor cloud - Claude Desktop Remote, ChatGPT custom apps, Anthropic web. Those traverse public internet to your endpoint and require a publicly-trusted CA chain (Let's Encrypt, DigiCert, ...).

2. MCP server connecting OUT to your Zabbix frontend - configure per-server:
[zabbix.production] url = "https://zabbix.example.com" verify_ssl = true # or false if your Zabbix has a self-signed cert This is independent from the cert on point 1.

v1.30 just shipped a one-liner for Let's Encrypt if you want a publicly-trusted cert without learning certbot:
sudo ./deploy/install.sh request-tls --hostname mcp.example.com --email [email protected] It runs certbot certonly (auto-detects standalone vs webroot), symlinks the cert into /etc/zabbix-mcp/tls/, writes tls_cert_file + tls_key_file into config.toml, installs a deploy hook that reloads the service after each renewal, and enables the certbot timer. Re-runnable any time you rotate hostnames. Permissions are tightened to 0440 root:zabbix-mcp on the privkey + 0710 on the live/archive directories so even an MCP RCE cannot enumerate other certs on the box. Full walkthrough: https://github.com/initMAX/zabbix-mc.../docs/OAUTH.md

For full details on certificate scenarios per AI client (which need publicly-trusted, which work with self-signed) see the README "TLS / HTTPS" section: https://github.com/initMAX/zabbix-mcp-server#tls--https
What's new since the original post (v1.16 -> v1.30)

The original announcement listed "225 tools, bearer auth". Quite a bit landed since then - here is the cumulative picture as of v1.30 (released 2026-05-05):

Tools (now 237 = 223 Zabbix API + 14 extension)

• All 58 Zabbix API groups still covered
• Per-token tools/list filter - a monitoring-only token sees ~25 tools instead of 237, ~78% LLM input savings on the initial handshake (#38)
• New extension tools that fold 3-5 raw API calls into one round-trip (Quadrata Insights review feedback): host_status_get, hostgroup_overview_get, infrastructure_summary_get, item_history_summary_get, problem_active_get. Replaces the typical "host_get -> interface_get -> problem_get -> item_get" chain LLMs had to write. The old raw tools are still there.
• report_generate (PDF reports), graph_render (PNG export), anomaly_detect (z-score), capacity_forecast (linear regression), item_threshold_search, action_prepare/action_confirm (two-step write approval), health_check, zabbix_raw_api_call

Authentication

• Embedded OAuth 2.1 authorization server (v1.28+) - ChatGPT custom apps, Claude Desktop remote connectors, MCP Inspector and any MCP 2025-11-25 client can sign in without an external IdP. Authorization Code + PKCE S256, RFC 7591 dynamic client registration, RFC 8707 audience binding, refresh-token rotation, RFC 7009 revocation.
• Two-step consent screen with per-scope checkboxes (v1.29) - operator picks exactly which scope groups the client gets. Wildcard * and concrete groups are mutually exclusive.
• Operator role caps the consent grant: admin can grant any scope, operator is limited to monitoring/data_collection/alerts/extensions, viewer to monitoring/extensions.
• Refresh-token reuse detection (RFC 6819) - replaying a rotated refresh token revokes the entire token family.
• Per-client IP allowlist + TTL override in [oauth_clients.<id>].
• v1.30: in-portal OAuth enable form so admins do not have to hand-edit config.toml. Validation rejects http://, raw IPs, and bare hostnames upfront.
• Legacy [tokens.X] bearer mode keeps working alongside OAuth.

Admin portal

• Full web UI on port 9090 for tokens, users, servers, report templates, settings, audit log, OAuth clients
• Light/dark mode + role-based access (admin/operator/viewer)
• Client MCP Wizard at /wizard - point-and-click generator for 14 AI clients (Claude Desktop, Codex, Cursor, Cline, VS Code Copilot, JetBrains AI, Goose, Open WebUI, 5ire, Gemini CLI, n8n, Claude Code, ChatGPT, Generic). Pick server -> token -> client, get a copy-paste-ready config snippet.
• Update notifications (v1.24+) - polls GitHub releases, banner appears in the top bar when a newer stable version is out, "Check now" button in Settings -> Admin Portal for manual refresh
• AI-assisted PDF report-template authoring (v1.23) - 6 LLM providers supported

Other

• MCP 2025-11-25 protocol spec compliance (v1.26)
• Streamable HTTP + SSE transports (HTTP recommended)
• Full audit log: every OAuth event, every config change, every token operation
• Pre-release verification per release: 18-OS Docker installer matrix, ~250-tool CRUD smoke against a real Zabbix instance, code review + security audit

Releases:

• v1.30 (latest): https://github.com/initMAX/zabbix-mc...ases/tag/v1.30
• All releases: https://github.com/initMAX/zabbix-mcp-server/releases

ChatGPT custom apps walkthrough (the OAuth flow end-to-end): https://github.com/initMAX/zabbix-mc...-CUSTOM-APP.md

Discussion / questions / feature requests: https://github.com/initMAX/zabbix-mc...er/discussions
Bug reports: https://github.com/initMAX/zabbix-mcp-server/issues

Thanks everyone for the field testing - your install logs, screenshots and edge-case reports drove most of the v1.17 through v1.30 polish.