Ad Widget

Collapse

Zabbix 6.0.8 - Certificate setup to communicate secure between server and proxy fails

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Peter Welter
    Junior Member
    • Feb 2022
    • 4
    #1

    Zabbix 6.0.8 - Certificate setup to communicate secure between server and proxy fails

    We have a simple setup of
    • 1 zabbix server and
    • 1 zabbix proxy version 6.0.8; both rhel8.
    With 'no encryption' the setup works. The zabbix server and the zabbix proxy server see each other.

    We try to follow the documentation https://www.zabbix.com/documentation...-zabbix-server but we must say that this page is not helpful enough, unfortunately.

    We have certificates for both server with a valid CA but both servers (even in Debuglevel 5) only fail these errors in theire respective logs:

    zabbix-server:
    Code:
    340989:20220901:112756.365 failed to accept an incoming connection: from xxx.xxx.xxx.xxx: TLS handshake set result code to 1: file ssl/record/rec_layer_s3.c line 1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"

340987:20220901:112757.374 failed to accept an incoming connection: from xxx.xxx.xxx.xxx: TLS handshake set result code to 1: file ssl/record/rec_layer_s3.c line 1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"

340986:20220901:112758.383 failed to accept an incoming connection: from xxx.xxx.xxx.xxx: TLS handshake set result code to 1: file ssl/record/rec_layer_s3.c line 1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"
​
    zabbix proxy-server:

    Code:
    244980:20220901:115216.770 Unable to connect to [zabbix-server-dns-name]:10051 [TCP successful, cannot establish TLS to [[zabbix-server-dns-name]:10051]: unable to get local issuer certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/statem/statem_clnt.c line 1915: error:1416F086:SSL routines:tls_process_server_certificate:certificat e verify failed: TLS write fatal alert "unknown CA"]

244980:20220901:115216.770 Will try to reconnect every 1 second(s)

244976:20220901:115216.832 proxy [NODE="8"]Private Messages[/NODE] started [preprocessing worker #1]

244978:20220901:115216.832 proxy #10 started [preprocessing worker #3]

244980:20220901:115316.362 Still unable to connect...

244969:20220901:115416.769 Still unable to connect...
​
    And now we do not see what is missing (Unknown CA?) or even the next step how to proceed?

    Any help is appreciated.
    --
    Peter
    Tags: None
    • Hamardaban
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • May 2019
      • 2713
      #2
      Have you configured the TLSCAFile parameter ?
      1 Zabbix server
      https://www.zabbix.com/documentation/current/en/manual/appendix/config/zabbix_server

      2 Zabbix proxy
      https://www.zabbix.com/documentation/current/en/manual/appendix/config/zabbix_proxy

        Comment

        • Peter Welter
          Junior Member
          • Feb 2022
          • 4
          #3
          Hi @Hamardaban,

          Thanks for the suggestion and the links.

          We have set up this particular setting:


          ZABBIX PROXY
          Code:
          TLSConnect=cert

TLSAccept=cert

TLSCAFile=/etc/pki/tls/certs/sectigo_ov_chain.pem

TLSServerCertIssuer=CN=...

TLSServerCertSubject=CN=...

TLSCertFile=/etc/pki/tls/certs/zabbix-proxy-....pem

TLSKeyFile=/etc/pki/tls/private/zabbix-proxy-....key
          ZABBIX-SERVER
          Code:
          TLSConnect=cert

TLSCAFile=/etc/pki/tls/certs/sectigo_ov_chain.pem

TLSCertFile=/etc/pki/tls/certs/zabbix-server....pem

TLSKeyFile=/etc/pki/tls/private/zabbix-server....key

            Comment

            • Hamardaban
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • May 2019
              • 2713
              #4
              Check that the user on whose behalf zabbix is running has rights to read files with certificates.
              At the time of the tests, comment TLSServerCertIssuer and TLSServerCertSubject.
              Try connecting to the server using the openssl test utility. "openssl s_client -CApath /etc/pki/tls/certs/sectigo_ov_chain.pem -connect zserver:zport"

                Comment

                • Peter Welter
                  Junior Member
                  • Feb 2022
                  • 4
                  #5
                  Hi Hamardaban

                  Testing with openssl s_client hints why Zabbix fails to connect, I guess.

                  The -CApath (without the CA-filename) or -CAfile (with the CA-filename, as suggested), both returned the same error:

                  Code:
                  # openssl s_client -CApath /etc/pki/tls/certs/ -connect zabbix-server...:10051

CONNECTED(00000003)

depth=0 C = NL, ST = Zuid-Holland, O = Universiteit Leiden, CN = zabbix-server

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = NL, ST = Zuid-Holland, O = Universiteit Leiden, CN = zabbix-server

verify error:num=21:unable to verify the first certificate

verify return:1

depth=0 C = NL, ST = Zuid-Holland, O = Universiteit Leiden, CN = zabbix-server

verify return:1
​
                  We have to fix this first, I guess and I will come back to this next week. Thanks for the help!

                    Comment

                    • Peter Welter
                      Junior Member
                      • Feb 2022
                      • 4
                      #6

                      After two more days of frustration, with the documentation, videos, forum, the software error messages we almost gave up on Zabbix. Implementing of secure communication with Certificates did not succeed in our case.

                      Fortunately within an half hour (!) we could enjoy encryption between all part (Zabbix server, Zabbix Proxy and Clients ) https://www.zabbix.com/documentation...re_shared_keys it just works as described!!!!

                        Comment

                        • Stefano A
                          Junior Member
                          • Feb 2023
                          • 1
                          #7
                          Hi Peter. I agree with what you wrote, after one week of frustration , no way to implement secure communication zabbix server-proxy with certificates. I verified everything more times (server and proxy confs, firewall, certificates), I debugged communication with all tools but nothing. My error is the following:

                          Code:
                           cannot connect to proxy "[I]proxyname[/I]": TCP successful, cannot establish TLS to [[[I]proxyname.domain[/I]]:10051]: unable to get issuer certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c line 1883 func tls_post_process_server_certificate: error:0A000086:SSL routines::certificate verify failed: TLS write fatal alert "unknown CA"
                          I don't know what else I can do.

                          Now I'll try with pre-shared keys...

                            Comment

                            Previous template Next
                            Working...