Ad Widget

Collapse

Problem after setting certificates encryption.

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • drakeman
    Junior Member
    • Aug 2016
    • 6
    #1

    Problem after setting certificates encryption.

    Helllo, i'm trying to set the certificate based encryption on my zabbix server, i did the following steps
    1. Generate a .csr and .key file on the local server.
    2. Sign the certificates with my company Microsoft CA.
    3. Put the signed certificate, keyfile and CA ROOT certificate on the configuration file.

    I did this steps on the server, and then i set the same three certificates on the agent on the same server (because i have the agent installed on the server too).

    But the zabbix_agent log is sending me this information:

    End of zbx_tls_accept():FAIL error:'TLS connection has been closed during handshake: file s3_pkt.c line 1259: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"'
    28126:20160801:163140.752 failed to accept an incoming connection: from 127.0.0.1: TLS connection has been closed during handshake: file s3_pkt.c line 1259: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"
    28124:20160801:163141.596 __zbx_zbx_setproctitle() title:'collector [processing data]'


    Anyone have any idea about this errors?

    Regards!
    Tags: None
    • andris
      Zabbix developer
      • Feb 2012
      • 228
      #2
      Hi!

      You can check what certificate is in the file pointed to by TLSCAFile parameter in zabbix_agentd.conf.
      Is there a one top-level (root) CA certificate ? Does it have the same Issuer and Subject fields ?
      Was your server certificate signed by that root CA ?
      Or (most likely) by some intermediate CA ? If this is your case then your certificate chain is Root CA -> Intermediate CA -> Server certificate. Root CA goes into TLSCAFile, but Intermediate CA and Server certificates go into TLSCertFile from zabbix_server.conf. Note the order in TLSCertFile: first is Zabbix server certificate, followed by intermediate CA certificate.

      https://www.zabbix.com/documentation..._zabbix_server explains it in details.

      Andris

        Comment

        • drakeman
          Junior Member
          • Aug 2016
          • 6
          #3
          Originally posted by andris
          Hi!

          You can check what certificate is in the file pointed to by TLSCAFile parameter in zabbix_agentd.conf.
          Is there a one top-level (root) CA certificate ? Does it have the same Issuer and Subject fields ?
          Was your server certificate signed by that root CA ?
          Or (most likely) by some intermediate CA ? If this is your case then your certificate chain is Root CA -> Intermediate CA -> Server certificate. Root CA goes into TLSCAFile, but Intermediate CA and Server certificates go into TLSCertFile from zabbix_server.conf. Note the order in TLSCertFile: first is Zabbix server certificate, followed by intermediate CA certificate.

          https://www.zabbix.com/documentation..._zabbix_server explains it in details.

          Andris
          Thanks Andris, but my certs doesnt have the same format as the zabbix guide, my certs only have the part:
          --begin certificate---
          aSTQWT$RAWEFASEFASGRTE$TQE$TQWERFase
          qw4tw4RW$RQWERQWERFQWEFWEFAESRQASDFASDF
          qasdFASDFQWEFEWFWEAFASEFASDFASDFASDFASD
          ---end certificate----

          Thats the only information showing in all my certificates, root certificate, signed certificate, and the same goes if i include the intermediate certificate.

          There is any way to create or join the certificates into one file?

            Comment

            • drakeman
              Junior Member
              • Aug 2016
              • 6
              #4
              I pasted the certificate contents following the guide, now im getting this error:

              18834:20160802:092544.775 failed to accept an incoming connection: from 127.0.0.1: unsupported certificate purpose: TLS handshake returned error code 1: file s3_srvr.c line 3297: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned: TLS write fatal alert "unsupported certificate"

              Im using certificates in .cer format, but the content can be viewed using cat zabbix_certificate.cer.

              Do i need to convert the certificate?


              thanks

                Comment

                • andris
                  Zabbix developer
                  • Feb 2012
                  • 228
                  #5
                  Hi!

                  The most interesting part of error message seems "unsupported certificate purpose".

                  One of possible explanations:
                  In https://www.zabbix.com/documentation...g_certificates there is a section "Limitations on using X.509 v3 certificate extensions", look into "Extended Key Usage extension" part. Check does your certificate use either clientAuth (TLS WWW client authentication) or serverAuth (TLS WWW server authentication) extension. If one of them is used, the other also must be used in certificate. Or none of them.

                  If this does not help, then may be it is a good idea to try converting to PEM format.

                  Andris

                    Comment

                    • drakeman
                      Junior Member
                      • Aug 2016
                      • 6
                      #6
                      Hello, thanks, dont quite understand the answer, keep getting the error:

                      Code:
                      End of zbx_tls_accept():FAIL error:'unsupported certificate purpose: TLS handshake returned error code 1: file s3_srvr.c line 3297: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned: TLS write fatal alert "unsupported certificate"'
  7110:20160802:165443.859 failed to accept an incoming connection: from 127.0.0.1: unsupported certificate purpose: TLS handshake returned error code 1: file s3_srvr.c line 3297: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned: TLS write fatal alert "unsupported certificate"
                      The certificate is signed from my internal microsoft CA. Is a web certificate, not client or server certificate.

                      Im using the same set of certificates on the server and on the same server i have the agent installed pointing to the same certificates files.

                      Maybe something wrong?

                      Thanks

                        Comment

                        • andris
                          Zabbix developer
                          • Feb 2012
                          • 228
                          #7
                          The certificate is signed from my internal microsoft CA. Is a web certificate, not client or server certificate.
                          "Is a web certificate" - does it mean "a certificate for a web-server" ? If so then I think explanation can be this:
                          • Zabbix server connects to agent (for example, to get a processor load). Note that in this situation Zabbix server plays a role of TLS client, sending a request, and Zabbix agent plays the role of TLS server, accepting the request.
                          • Zabbix agent shows its "web certificate" to Zabbix server, and so far all is good.
                          • Zabbix agent also asks Zabbix server, who initiated the connection, to show its certificate.
                          • Zabbix server sends its certificate, which is marked as "web certificate" - allowed to use as web server certificate but not valid as a _CLIENT_ certificate.
                          • So, Zabbix agent drops the connection with 'unsupported certificate purpose".


                          Possible solution - either get a certificate marked for both server and client use or without any of those extensions set.
                          Workaround: if possible, try to compile Zabbix with GnuTLS instead of OpenSSL. "GnuTLS issues a warning in case of key usage violation but allows communication to proceed."

                          Andris

                            Comment

                            • ajr
                              Junior Member
                              • Feb 2017
                              • 1
                              #8
                              Originally posted by andris
                              "Is a web certificate" - does it mean "a certificate for a web-server" ? If so then I think explanation can be this:
                              • Zabbix server connects to agent (for example, to get a processor load). Note that in this situation Zabbix server plays a role of TLS client, sending a request, and Zabbix agent plays the role of TLS server, accepting the request.
                              • Zabbix agent shows its "web certificate" to Zabbix server, and so far all is good.
                              • Zabbix agent also asks Zabbix server, who initiated the connection, to show its certificate.
                              • Zabbix server sends its certificate, which is marked as "web certificate" - allowed to use as web server certificate but not valid as a _CLIENT_ certificate.
                              • So, Zabbix agent drops the connection with 'unsupported certificate purpose".


                              Possible solution - either get a certificate marked for both server and client use or without any of those extensions set.
                              Workaround: if possible, try to compile Zabbix with GnuTLS instead of OpenSSL. "GnuTLS issues a warning in case of key usage violation but allows communication to proceed."

                              Andris
                              I'm just starting with zabbix 3.2 on FreeBSD and agentd logs 'unsupported certificate purpose:' while trying to enable cert authentication.

                              My cert looks so:

                              X509v3 Key Usage: critical
                              Digital Signature, Key Encipherment
                              X509v3 Extended Key Usage: critical
                              TLS Web Server Authentication

                              If I omit the 'TLS Web Server Authentication' attribute on both server and client certs, it should work?

                              Thanks, ajr

                                Comment

                                Previous template Next
                                Working...