NB: I posted this issue as ZBX-17604, however, it might not be a bug but a misconfiguration on my side, so I am reposting it here maybe someone could help me see if I did anything wrong
Steps to reproduce
All the details of issue reproduction are explained in the issue reproducer I made for this issue: https://github.com/jadbaz/zabbix-tls...sue-reproducer
I've put a lot of effort into making this MCVE because I think this is a non-trivial issue and that this will speed up debugging
Check out the instructions in the repo and run with "--inter" and without
Result
Agent:
Server
Expected
Expected for the agent to connect to the server without any errors
Issue description
I have an agent connected to a zabbix server with 1 active check. This agent is configured to use encryption for "connections from host".
In the "root CA" mode, I am doing the following:
For cert files
In the "intermediate CA" mode, I am doing the following (bold parts are different or added):
For cert files
Moreover, I am attaching both "/var/lib/zabbix/enc" directories when using root only and when using intermediate CA (they are mounted by agent and server) for quick debugging
Steps to reproduce
All the details of issue reproduction are explained in the issue reproducer I made for this issue: https://github.com/jadbaz/zabbix-tls...sue-reproducer
I've put a lot of effort into making this MCVE because I think this is a non-trivial issue and that this will speed up debugging
Check out the instructions in the repo and run with "--inter" and without
Result
Agent:
Code:
active check configuration update from [zabbix-server:10051] started to fail (TCP successful, cannot establish TLS to [[zabbix-server]:10051]: invalid CA certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/statem/statem_clnt.c line 1913: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: TLS write fatal alert "unknown CA")
Server
Code:
failed to accept an incoming connection: from <IP>: TLS handshake set result code to 1: file ssl/record/rec_layer_s3.c line 1543: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"
Expected
Expected for the agent to connect to the server without any errors
Issue description
I have an agent connected to a zabbix server with 1 active check. This agent is configured to use encryption for "connections from host".
In the "root CA" mode, I am doing the following:
- Generating a root CA key and self-signed cert
- Generating a server key
- Creating a server CSR
- Signing the CSR by the root CA
- Generating an agent key
- Creating an agent CSR
- Signing the CSR by the root CA
For cert files
- In Zabbix CA file, I include
- root CA cert
- In zabbix_server.crt I include in order
- server cert
- root CA cert
- In zabbix_server.crt I include in order
- agent cert
- root CA cert
In the "intermediate CA" mode, I am doing the following (bold parts are different or added):
- Generating a root CA key and self-signed cert
- Creating an intermediate CA key
- Creating an intermediate CA CSR
- Signing the CSR by the root CA
- Generating a server key
- Creating a server CSR
- Signing the CSR by the intermediate CA
- Generating an agent key
- Creating an agent CSR
- Signing the CSR by the intermediate CA
For cert files
- In Zabbix CA file, I include
- root CA cert
- intermediate CA cert
- In zabbix_server.crt I include in order
- server cert
- intermediate CA cert
- root CA cert
- In zabbix_server.crt I include in order
- agent cert
- intermediate CA cert
- root CA cert
Moreover, I am attaching both "/var/lib/zabbix/enc" directories when using root only and when using intermediate CA (they are mounted by agent and server) for quick debugging