Ad Widget

Collapse

Zabbix 6.0: Serverlog flooded with GnuTLS messages

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • sesom42
    Junior Member
    • Feb 2017
    • 2
    #1

    Zabbix 6.0: Serverlog flooded with GnuTLS messages

    Hello!

    After upgrading to Zabbix version 6.0 my zabbix server log is flooded with messages like this:

    2244448:20240712:125758.026 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244451:20240712:125759.021 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244442:20240712:125800.136 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244434:20240712:125804.155 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244432:20240712:125818.489 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244449:20240712:125819.511 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244459:20240712:125828.734 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244462:20240712:125853.125 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244446:20240712:125858.221 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244439:20240712:125859.245 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244444:20240712:125900.252 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244454:20240712:125904.330 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244462:20240712:125918.584 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244448:20240712:125919.621 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244448:20240712:125928.798 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244454:20240712:125953.219 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244451:20240712:125958.372 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244441:20240712:125959.385 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244444:20240712:130000.405 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."
    2244460:20240712:130004.473 GnuTLS audit: "There was a non-CA certificate in the trusted list: CN=<zabbix-server fqdn>."

    What generates this message? And which host generates this message? The server otherwise works normally. How can I fix this?

    Thx in advance.
    Tags: None
    • Answer selected by sesom42 at 12-07-2024, 15:44.
      Markku
      Senior Member
      Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
      • Sep 2018
      • 1781
      My guess is that someone has installed the self-signed Zabbix frontend TLS certificate in the local root CA store somehow, and since the certificate does not have the "CA property" (whatever it officially is called) set, the TLS library (GnuTLS in this case) emits a debug log message about the error.

      If that is the case, then the corrective action will be to remove the said TLS certificate from the root CA store.

      What is your server OS?

      Markku
        • Selected Answer

        Comment

        • Markku
          Senior Member
          Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
          • Sep 2018
          • 1781
          #2
          My guess is that someone has installed the self-signed Zabbix frontend TLS certificate in the local root CA store somehow, and since the certificate does not have the "CA property" (whatever it officially is called) set, the TLS library (GnuTLS in this case) emits a debug log message about the error.

          If that is the case, then the corrective action will be to remove the said TLS certificate from the root CA store.

          What is your server OS?

          Markku
            • Selected Answer

            Comment

            • sesom42
              Junior Member
              • Feb 2017
              • 2
              #3
              Thank you very much! With your hint I found a self-signed certificate in /etc/ssl/certs (the OS is Debian 12) and removed it. This must date back to the time before I switched to a real certificate. That fixed the error.

              Jens
                👍 1

                Comment

                Previous template Next
                Working...