Hello,
I am currently implementing a Zabbix 6.4 setup and am having issues with implementing SSL with our CA certs. Although I was able to get the implementation working with self-signed certificates it is not working when I am trying to use our CA certificates.
OS: Rocky Linux 9.2 (Blue Onyx). Web: Apache/2.4.57 (Rocky Linux)
I am seeing a variety of instructions online depending on Zabbix version and particular integration so was hoping to get more clarity to resolve the issues I’m having with using the CA cert for SSL integration. The end goal is getting it to work with SAML but first I need to get the CA certs working rather than the self signed.
First I installed the ssl_mod
Package mod_ssl-1:2.4.57-5.el9.x86_64 is already installed.
I have validated this is installed correctly (see above)
Currently the self signed cert solution is working, but the issue is that I need to use a more secure CA solution in order to move ahead. I am seeing many different takes on what files/paths need to be reconfigured and was hoping to get more clarity to assist with troubleshooting and getting the solution to work.
What files in particular need to be modified to complete this integration? What needs to be configured in those files. I am seeing examples where it is configured in Apache and examples where it is configured in Zabbix config files.
Where do you recommend the certificate files be located. Which path? I have loaded the certificate file (.cer) and certificate (.key) files to where the Apache points and it breaks being able to web login.
What folder permissions are recommended in the location of the certificate files?
Here is my SSL config for Apache
Listen 443 https
<VirtualHost _defualt_:443>
DocumentRoot "/usr/share/zabbix"
ServerName Actual_Server_Name
ErrorLog www/home/logs/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/name_of_cert.crt
SSLCertificateKeyFile /etc/ssl/private/name_of_key.key
</VirtualHost>
When I run my file and not the apache selfsigned, I receive the following logs and I am not able to start the web service:
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: Starting The Apache HTTP Server...
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: httpd.service: Failed with result 'exit-code'.
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: Failed to start The Apache HTTP Server.
[root@NETGRAPHSP01 private]# journalctl -xeu httpd.service
‚ñë‚ñë
‚ñë‚ñë The unit httpd.service has entered the 'failed' state with result 'exit-code'.
Mar 20 13:58:05 NETGRAPHSP01.net.wcupa.edu systemd[1]: Failed to start The Apache HTTP Server.
‚ñë‚ñë Subject: A start job for unit httpd.service has failed
‚ñë‚ñë Defined-By: systemd
‚ñë‚ñë Support: https://access.redhat.com/support
‚ñë‚ñë
‚ñë‚ñë A start job for unit httpd.service has finished with a failure.
‚ñë‚ñë
‚ñë‚ñë The job identifier is 7612 and the job result is failed.
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: Starting The Apache HTTP Server...
‚ñë‚ñë Subject: A start job for unit httpd.service has begun execution
‚ñë‚ñë Defined-By: systemd
‚ñë‚ñë Support: https://access.redhat.com/support
I appreciate any assistance in clarifying the above.
I am currently implementing a Zabbix 6.4 setup and am having issues with implementing SSL with our CA certs. Although I was able to get the implementation working with self-signed certificates it is not working when I am trying to use our CA certificates.
OS: Rocky Linux 9.2 (Blue Onyx). Web: Apache/2.4.57 (Rocky Linux)
I am seeing a variety of instructions online depending on Zabbix version and particular integration so was hoping to get more clarity to resolve the issues I’m having with using the CA cert for SSL integration. The end goal is getting it to work with SAML but first I need to get the CA certs working rather than the self signed.
First I installed the ssl_mod
Package mod_ssl-1:2.4.57-5.el9.x86_64 is already installed.
I have validated this is installed correctly (see above)
Currently the self signed cert solution is working, but the issue is that I need to use a more secure CA solution in order to move ahead. I am seeing many different takes on what files/paths need to be reconfigured and was hoping to get more clarity to assist with troubleshooting and getting the solution to work.
What files in particular need to be modified to complete this integration? What needs to be configured in those files. I am seeing examples where it is configured in Apache and examples where it is configured in Zabbix config files.
Where do you recommend the certificate files be located. Which path? I have loaded the certificate file (.cer) and certificate (.key) files to where the Apache points and it breaks being able to web login.
What folder permissions are recommended in the location of the certificate files?
Here is my SSL config for Apache
Listen 443 https
<VirtualHost _defualt_:443>
DocumentRoot "/usr/share/zabbix"
ServerName Actual_Server_Name
ErrorLog www/home/logs/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/name_of_cert.crt
SSLCertificateKeyFile /etc/ssl/private/name_of_key.key
</VirtualHost>
When I run my file and not the apache selfsigned, I receive the following logs and I am not able to start the web service:
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: Starting The Apache HTTP Server...
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: httpd.service: Failed with result 'exit-code'.
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: Failed to start The Apache HTTP Server.
[root@NETGRAPHSP01 private]# journalctl -xeu httpd.service
‚ñë‚ñë
‚ñë‚ñë The unit httpd.service has entered the 'failed' state with result 'exit-code'.
Mar 20 13:58:05 NETGRAPHSP01.net.wcupa.edu systemd[1]: Failed to start The Apache HTTP Server.
‚ñë‚ñë Subject: A start job for unit httpd.service has failed
‚ñë‚ñë Defined-By: systemd
‚ñë‚ñë Support: https://access.redhat.com/support
‚ñë‚ñë
‚ñë‚ñë A start job for unit httpd.service has finished with a failure.
‚ñë‚ñë
‚ñë‚ñë The job identifier is 7612 and the job result is failed.
Mar 20 14:06:44 NETGRAPHSP01.net.wcupa.edu systemd[1]: Starting The Apache HTTP Server...
‚ñë‚ñë Subject: A start job for unit httpd.service has begun execution
‚ñë‚ñë Defined-By: systemd
‚ñë‚ñë Support: https://access.redhat.com/support
I appreciate any assistance in clarifying the above.
Attached Files
Comment