Ad Widget

Collapse

Zabbix mTLS error: SSL alert number 43 TLS read fatal alert "unsupported certificate"

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • jad.baz
    Junior Member
    • Dec 2019
    • 13
    #1

    Zabbix mTLS error: SSL alert number 43 TLS read fatal alert "unsupported certificate"

    Hello,

    I'm trying to setup mTLS in Zabbix and I'm running into a TLS issue.
    My use case for Zabbix here is agent-server and not server-agent. So I only have active checks.

    Whenever I start the client it logs the following error:

    Code:
    16874:20200318:223835.350 active check configuration update from [192.168.1.31:10051] started to fail (TCP successful, cannot establish TLS to [[192.168.1.31]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file s3_pkt.c line 1493: error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate: SSL alert number 43: TLS read fatal alert "unsupported certificate")
    On the server, it logs the following error in Zabbix logs:
    Code:
    292:20200318:223845.158 failed to accept an incoming connection: from 192.168.1.229: unsupported certificate purpose: TLS handshake set result code to 1: file ssl/statem/statem_srvr.c line 3686: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed: TLS write fatal alert "unsupported certificate"
    I followed the steps outlined in using_certificates.
    Server-side, I'm using the latest zabbix-appliance 4.4 with the following in zabbix_server.conf:Agent-side, I'm using the latest Zabbix agent on CentOS 7. I have the following in zabbix_server.conf:
    • TLSCAFILE = zabbix_ca_file (here shown in text format)
    • TLSCERTFILE = zabbix_agentd.crt (here shown in text format)
    • TLSKEYFILE = zabbix_agentd.key
    • TLSConnect = cert
    • TLSAccept = cert
    As for the encryption setup for this host (though I'm only using connections from host):
    Click image for larger version Name: host_encryption.png Views: 0 Size: 14.9 KB ID: 397878

    As per this SO post, "SSL alert number 43" has to do with X509 V3 extensions. That "x509v3 Extended Key Usage" contains "TLS Web Server Authentication" and not "TLS Web Client Authentication".
    However:
    • My client certificate (zabbix_agentd.crt) has the correct Extended Key Usage: "TLS Web Client Authentication"
    • Generating a client certificate without X509v3 extensions leads to the exact same error, nothing changed
    Moreover, I also tried using both clientAuth and serverAuth as proposed in this comment on ZBXNEXT-1263 (although I know it doesn't make sense in my specific case).

    Whatever I try, I always seem to get this same error
    Some help would be truly appreciated

    Thank you
    Last edited by jad.baz; 20-03-2020, 10:51.
    Tags: None
    • jad.baz
      Junior Member
      • Dec 2019
      • 13
      #2
      ... Anyone?

        Comment

        • tim.mooney
          Senior Member
          • Dec 2012
          • 1427
          #3
          I know what TLS is, but I don't know what mTLS is. Can you elaborate?

          What PKI libraries is your zabbix_agentd linked against? OpenSSL? If so, what version and on which OS/distro?

          Also, "unsupported certificate" could be hinting that it's literally that your certificate is unsupported by your TLS libraries. You chose 8192 for your RSA "keysize". Are your sure your libraries support key sizes that large? Can you (just for testing) try 2048, to rule out the key size as the problem?

            Comment

            • jad.baz
              Junior Member
              • Dec 2019
              • 13
              #4
              mtls stands for mutual TLS. But nevermind that

              OS: CentOS 7
              OpenSSL: OpenSSL 1.0.2k-fips 26 Jan 2017

              I don't think it's an issue with client libraries
              I mean if it was, I would not have received the error on the server as well

              I'll try 2048 and let you know

                Comment

                • tim.mooney
                  Senior Member
                  • Dec 2012
                  • 1427
                  #5
                  Ah, SSL/TLS mutual authentication. Now I understand. Sorry I didn't realize that's what you were referring to.

                  Also, now that I look closer at your files, are zabbix_server.crt and zabbix_agentd.crt the exact files you're using? I ask because they're not valid certs. Neither one contains the actual PEM-encoded certificate (between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines). They contain the human-readable representation of what's in the certificate, but not the certificate itself.

                  Look again at the using certificates link from the Zabbix docs, that you linked to in your original post. If you look at what they show in that example, you can see that they abbreviate the PEM-encoded certificates, but they're there.

                    Comment

                    • jad.baz
                      Junior Member
                      • Dec 2019
                      • 13
                      #6
                      I have them in pem format actually
                      In my first post I explicitly said: "(here shown in text format)"
                      I only posted the human-readable format so that it will be clear

                      Moreover, I put some company-specific info in those pem certificates which I didn't want to post online you see, so I changed them in the human-readable thing I posted

                      So here is what I'm using
                      But note that I intentionally replaced the 2nd line with the 3rd line in each, because I don't want to post company-specific info (site, address, email, etc...)
                      Basically I scrambled the files a bit intentionally so they will not be decodable. I'm only showing the intent hereMeanwhile, when I get the time, I'm gonna work on creating generic certs so that I can post the real contents of the file
                      But until then, let me know if this makes sense

                      Thanks a lot for your help
                      Last edited by jad.baz; 02-04-2020, 09:43.

                        Comment

                        Previous template Next
                        Working...