Ad Widget

Collapse

Zabbix PSK Issues

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • MattK
    Junior Member
    • Jul 2021
    • 15
    #1

    Zabbix PSK Issues

    ​I have set the following on the Zabbix server to enable PSK encryptions:
    Click image for larger version Name: Screenshot 2021-07-17 102819.png Views: 1605 Size: 15.8 KB ID: 428333

    Then on the monitored server, I have set the following on the Zabbix agent (in /etc/zabbix/zabbix_agentd.conf):
    Code:
    TLSConnect=psk
TLSAccept=psk
TLSPSKFile=/home/zabbix/secret.psk
TLSPSKIdentity=ipcserver
    The Server and ServerActive are also set correctly.

    However, on the Zabbix agent, I'm getting the following errors:
    Code:
     14175:20210717:003549.843 failed to accept an incoming connection: from IPADDRESS: zbx_tls_accept(): gnutls_handshake() failed: -24 Decryption has failed.
14175:20210717:003604.847 GnuTLS audit: "Discarded message[0] due to invalid decryption"
14175:20210717:003604.847 zbx_tls_accept() gnutls_handshake() returned: -24 Decryption has failed.
14175:20210717:003604.847 failed to accept an incoming connection: from IPADDRESS: zbx_tls_accept(): gnutls_handshake() failed: -24 Decryption has failed.
14175:20210717:003619.850 GnuTLS audit: "Discarded message[0] due to invalid decryption"
14175:20210717:003619.850 zbx_tls_accept() gnutls_handshake() returned: -24 Decryption has failed.
14175:20210717:003619.850 failed to accept an incoming connection: from IPADDRESS: zbx_tls_accept(): gnutls_handshake() failed: -24 Decryption has failed.
    And I get the following error on the Zabbix server:
    Click image for larger version Name: Screenshot 2021-07-17 104046.png Views: 1530 Size: 22.3 KB ID: 428334

    Oddly though, when I run using zabbix_get, it seems to work fine:
    Code:
     sudo zabbix_get -s IPADDRESS --tls-connect=psk --tls-psk-identity="ipcserver" --tls-psk-file=/home/ipczabbix/zabbix_agentd.psk -k vm.memory.size[available]
# 683204608
    I have searched the forums and none of the fixes seem to work for me.

    Any help would be much appreciated.​
    Tags: None
    • Sebastian
      Member
      • Jul 2020
      • 33
      #2
      Click image for larger version Name: psk.png Views: 1498 Size: 22.5 KB ID: 428358Hello MattK
      What os for zabbix_agent are you using, On attached screenshot I see Linux Template
      Did you noticed that to use PSK agent has to be compiled with ssl support?
      Once you check download section, there is available agents for Windows supporting Encryption, For Linux this seems to not be available to download.

      You can check your specific agent in zabbix_agentd.log for TLS support at the client side.

      6079:20210718:233012.331 Starting Zabbix Agent [%hostname%]. Zabbix 5.0.11 (revision 15ae5548ce).
      6079:20210718:233012.331 **** Enabled features ****
      6079:20210718:233012.331 IPv6 support: YES
      6079:20210718:233012.331 TLS support: YES
      6079:20210718:233012.332 **************************
      6079:20210718:233012.332 using configuration file: /etc/zabbix/zabbix_agentd.conf


      I am using PSK in prod succesfully on Windows machines, now for the purpose of helping I have just tested it on Linux and confirmed working fine.

      following conf entries are used:
      TLSConnect=psk
      TLSAccept=psk
      TLSPSKFile=/etc/zabbix/namePSK.psk
      TLSPSKIdentity=namePSK


      And I have also noticed you are using two psk files. you should propably check it.

      Config:
      TLSPSKFile=/home/zabbix/secret.psk

      zabbix_get test
      --tls-psk-file=/home/ipczabbix/zabbix_agentd.psk
      Last edited by Sebastian; 18-07-2021, 23:43.

        Comment

        • MattK
          Junior Member
          • Jul 2021
          • 15
          #3
          Sorry I forgot to mention that PSK encryption does seem to work on our servers running a custom Asterisk Linux distro and the servers that are not working are using Ubuntu.

          After some more digging, I found that the Zabbix Agent on the Ubuntu servers were either not compiled with SSL support or compiled with GnuTLS whereas both the Zabbix Server and the working Asterisk Linux distro agents are compiled with OpenSSL.

          So my question is how to compile using using OpenSSL, I followed the following precedure to install the Zabbix agent: https://computingforgeeks.com/instal...ent-on-ubuntu/
          Furthermore, it seems like you can't even download the Linux package with encryption:
          Click image for larger version Name: Screenshot 2021-07-20 085648.png Views: 0 Size: 28.1 KB ID: 428430
          Is it even possible on Linux?

          Also the config and zabbix_get test psk entries are the same just with a different name because the server and agent are on different systems.

          Thanks very much for your assistance.
          Last edited by MattK; 20-07-2021, 01:03.

            Comment

            • MattK
              Junior Member
              • Jul 2021
              • 15
              #4
              Seems to all be working now!!!

              To fix, I ran the following:
              Code:
              sudo apt remove --purge zabbix-agent

wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+focal_all.deb
sudo dpkg -i zabbix-release_5.0-1+focal_all.deb
sudo apt update
sudo apt install zabbix-agent
              It seems like the Zabbix agent package from the default Ubuntu repo does not compile it with OpenSSL.

              I also realized that I need to have a different PSK identity for each host...

              Thanks very much for your help.

                Comment

                Previous template Next
                Working...