Hello everyone,
Long time user, first time poster; and I could use some help.
I've been running Zabbix quite effectively in containers for a while; one for the mysql DB, one for the server and one for the web front end. For reasons that we don't need to get in to, these containers are all on-prem.
I'm now interested in moving the DB container to a cloud provider. I don't think it matters which one, except that it requires a TLS connection. Getting the Zabbix Server container (zabbix/zabbix-server-mysql:ubuntu-6.0.3) to connect to the DB using TLS was pretty straightforward, once I realized that you need to set the $ZBX_DBTLSCONNECT env var to 'required' (assuming you've also successfully set $ZBX_DBTLSKEYFILE, $ZBX_DBTLSCAFILE and $ZBX_DBTLSCERTFILE).
The web UI (zabbix/zabbix-web-nginx-mysql:ubuntu-6.0.3) however, was an entirely different story. At first, the container logs would complain about not being able to connect to the DB, but then I realized that the env var was slightly different and needed to be $ZBX_DB_ENCRYPTION = 'true'. That got the db check in the container entrypoint script to work and nginx running, but the Zabbix web UI would only return a 2002 error. This is more of the less the same issue that is unresolved over here: https://www.zabbix.com/forum/zabbix-...tls-encryption
I tried setting $ZBX_DB_VERIFY_HOST = false with no luck. I tried updating to Zabbix 6.0.3 with no luck either. Both of them still had the 2002 errors. I confirmed using the mysql binary that the container could connect successfully (mysql --user=zabbix --password --host=<db host> --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-mode=verify_ca) and wrote a simple PHP script to confirm that PHP could connect as well.
Eventually, the workaround was to modify the public function connect function in MysqlDbBackend.php. Changing "$tls_mode = MYSQLI_CLIENT_SSL;" to "$tls_mode = MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;"
Surely, there is a better way. Is there an env var that I missed? Any insight is appreciated.
Many thanks for reading.
Long time user, first time poster; and I could use some help.
I've been running Zabbix quite effectively in containers for a while; one for the mysql DB, one for the server and one for the web front end. For reasons that we don't need to get in to, these containers are all on-prem.
I'm now interested in moving the DB container to a cloud provider. I don't think it matters which one, except that it requires a TLS connection. Getting the Zabbix Server container (zabbix/zabbix-server-mysql:ubuntu-6.0.3) to connect to the DB using TLS was pretty straightforward, once I realized that you need to set the $ZBX_DBTLSCONNECT env var to 'required' (assuming you've also successfully set $ZBX_DBTLSKEYFILE, $ZBX_DBTLSCAFILE and $ZBX_DBTLSCERTFILE).
The web UI (zabbix/zabbix-web-nginx-mysql:ubuntu-6.0.3) however, was an entirely different story. At first, the container logs would complain about not being able to connect to the DB, but then I realized that the env var was slightly different and needed to be $ZBX_DB_ENCRYPTION = 'true'. That got the db check in the container entrypoint script to work and nginx running, but the Zabbix web UI would only return a 2002 error. This is more of the less the same issue that is unresolved over here: https://www.zabbix.com/forum/zabbix-...tls-encryption
I tried setting $ZBX_DB_VERIFY_HOST = false with no luck. I tried updating to Zabbix 6.0.3 with no luck either. Both of them still had the 2002 errors. I confirmed using the mysql binary that the container could connect successfully (mysql --user=zabbix --password --host=<db host> --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-mode=verify_ca) and wrote a simple PHP script to confirm that PHP could connect as well.
Eventually, the workaround was to modify the public function connect function in MysqlDbBackend.php. Changing "$tls_mode = MYSQLI_CLIENT_SSL;" to "$tls_mode = MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;"
Surely, there is a better way. Is there an env var that I missed? Any insight is appreciated.
Many thanks for reading.
Comment