-
Problem report
-
Resolution: Unresolved
-
Trivial
-
None
-
None
-
None
-
Sprint 34, Sprint 35, Sprint 36, Sprint 37, Sprint 38, Sprint 39, Sprint 40, Sprint 41, Sprint 42, Sprint 43, Sprint 44, Sprint 45, Sprint 46, Nov 2018, Sprint 47, Dec 2018
-
0.5
When I install zabbix-server and zabbix-web packages on the same host, I can get SSL certs and keys via web frontend.
In zabbix-server-4.0.0alpha6 package, `zabbix_server --help` shows the default locations as below.
Some configuration parameter default locations: AlertScriptsPath "/usr/share/zabbix/alertscripts" ExternalScripts "/usr/share/zabbix/externalscripts" SSLCertLocation "/usr/share/zabbix/ssl/certs" SSLKeyLocation "/usr/share/zabbix/ssl/keys" LoadModulePath "/usr/lib64/zabbix/modules"
The first 4 locations are in /usr/share/zabbix and exposed by zabbix-web. So I can read the files via URL like http://zabbix.example.com/zabbix/ssl/keys/secret.key.
I know I can configure the locations by zabbix_server.conf, but it is safer to set the default values outside /usr/share/zabbix so that they are not exposed unintentionally. The default location of SSLCertLocation should be changed to something like "/etc/zabbix/ssl/certs", and so do the others.