Hey everyone!
We are having some difficulty creating/importing an HTTPS certificate for Zabbix 4.4. This is only for secure web access and not agent/proxy/client authentication. Additionally, we are generating the CSR on Zabbix and signing it from our internal Windows CA.
I had been using the following guides for reference:
https://www.zabbix.com/documentation...using_x509_v3_ certificate_extensions
https://www.zabbix.com/forum/zabbix-...rom-windows-ca)
Problem/Issue:
The issue is that when browsing to Zabbix via HTTPS, we are still receiving "Not Secure" warning after importing the SSL/TLS certificate. When looking into this, it would appear the issuing CA is incorrect and NOT showing as being issued from our internal CA (rather, the Zabbix host itself)
.
Issues as seen by certificate:
Below are the steps I've performed in order to generate a CSR, sign/issue the CSR from our internal CA, and then import the cert into Zabbix:
1) Copied and formatted the root CA certiticate into Zabbix
2) Generated CSR and Key File on Zabbix
4) Generated new CRT files after appending non-encoded info to certificate, and also encoded info to bottom of certificate (as per guide -- also is performing syntax requirement)
5) Confirmed the following 3 files existed
6) Updated "zabbix_server.conf"
7) Restarted Zabbix server
We are having some difficulty creating/importing an HTTPS certificate for Zabbix 4.4. This is only for secure web access and not agent/proxy/client authentication. Additionally, we are generating the CSR on Zabbix and signing it from our internal Windows CA.
I had been using the following guides for reference:
https://www.zabbix.com/documentation...using_x509_v3_ certificate_extensions
https://www.zabbix.com/forum/zabbix-...rom-windows-ca)
Problem/Issue:
The issue is that when browsing to Zabbix via HTTPS, we are still receiving "Not Secure" warning after importing the SSL/TLS certificate. When looking into this, it would appear the issuing CA is incorrect and NOT showing as being issued from our internal CA (rather, the Zabbix host itself)
.
Issues as seen by certificate:
General Tab:
"Issued To:" shows the FQDN of the Zabbix host (which is correct)
"Issued By:" shows the FQDN of the Zabbox host, NOT our internal CA
Details Tab:
"Issuer:" shows root@[FQDN-of-zabbix] (NOT internal CA)
"Subject:" shows root@[FQDN-of-zabbix] (NOT correct format)
Ceritification Path Tab:
-Zabbix certificate shows OK
-Root CA is not ok (shows Zabbix not internal CA)
"Issued To:" shows the FQDN of the Zabbix host (which is correct)
"Issued By:" shows the FQDN of the Zabbox host, NOT our internal CA
Details Tab:
"Issuer:" shows root@[FQDN-of-zabbix] (NOT internal CA)
"Subject:" shows root@[FQDN-of-zabbix] (NOT correct format)
Ceritification Path Tab:
-Zabbix certificate shows OK
-Root CA is not ok (shows Zabbix not internal CA)
Below are the steps I've performed in order to generate a CSR, sign/issue the CSR from our internal CA, and then import the cert into Zabbix:
1) Copied and formatted the root CA certiticate into Zabbix
- Converted "ca_cert.cer" from DER to PEM format
- openssl x509 -inform der -in ca_cert.cer -out ca_cert.pem
2) Generated CSR and Key File on Zabbix
- openssl req -new -newkey rsa:4096 -nodes -keyout server_csr.key -out server_csr.csr
CSR Location: /etc/zabbix/certs/server_csr.csr
Key Location: /etc/zabbix/certs/server_csr.key
3) Signed and issued Zabbix CSR by internal CAKey Location: /etc/zabbix/certs/server_csr.key
- certreq -submit -attrib "CertificateTemplate:[certificate-template]" [path-to-csr]
*Saved as .crt format and copied back to Zabbix
4) Generated new CRT files after appending non-encoded info to certificate, and also encoded info to bottom of certificate (as per guide -- also is performing syntax requirement)
- CA certificate
- openssl x509 -text -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dum p_der,sep_comma_plus,dn_rev,sname -in ca_cert.pem | cat > zabbix_ca_file && cat ca_cert.pem >> zabbix_ca_file
- Zabbix Server Certificate
- openssl x509 -text -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dum p_der,sep_comma_plus,dn_rev,sname -in server_cert.crt | cat > zabbix_server.crt && cat server_cert.crt >> zabbix_server.crt
- openssl x509 -text -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dum p_der,sep_comma_plus,dn_rev,sname -in ca_cert.pem | cat >> zabbix_server.crt && cat ca_cert.pem >> zabbix_server.crt
5) Confirmed the following 3 files existed
CA Certificate: zabbix_ca_file
Server Certificate: sabbix_server.crt
Key File: server_csr.key
Server Certificate: sabbix_server.crt
Key File: server_csr.key
6) Updated "zabbix_server.conf"
TLSCAFile=/etc/zabbix/certs/zabbix_ca_file
TLSCertFile=/etc/zabbix/certs/zabbix_server.crt
TLSKeyFile=/etc/zabbix/certs/server_csr.key
TLSCertFile=/etc/zabbix/certs/zabbix_server.crt
TLSKeyFile=/etc/zabbix/certs/server_csr.key
7) Restarted Zabbix server
- sudo systemctl restart zabbix-server
Comment