Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-14343

The default locations of SSL certs and keys can be read via zabbix-web

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • None
    • Packages (C)
    • None
    • Sprint 34, Sprint 35, Sprint 36, Sprint 37, Sprint 38, Sprint 39, Sprint 40, Sprint 41, Sprint 42, Sprint 43, Sprint 44, Sprint 45, Sprint 46, Nov 2018, Sprint 47, Dec 2018
    • 0.5

      When I install zabbix-server and zabbix-web packages on the same host, I can get SSL certs and keys via web frontend.

      In zabbix-server-4.0.0alpha6 package, `zabbix_server --help` shows the default locations as below.

      Some configuration parameter default locations:
  AlertScriptsPath               "/usr/share/zabbix/alertscripts"
  ExternalScripts                "/usr/share/zabbix/externalscripts"
  SSLCertLocation                "/usr/share/zabbix/ssl/certs"
  SSLKeyLocation                 "/usr/share/zabbix/ssl/keys"
  LoadModulePath                 "/usr/lib64/zabbix/modules"

      The first 4 locations are in /usr/share/zabbix and exposed by zabbix-web. So I can read the files via URL like http://zabbix.example.com/zabbix/ssl/keys/secret.key.

      I know I can configure the locations by zabbix_server.conf, but it is safer to set the default values outside /usr/share/zabbix so that they are not exposed unintentionally. The default location of SSLCertLocation should be changed to something like "/etc/zabbix/ssl/certs", and so do the others.

            Unassigned Unassigned
            kento.takahashi Kento Takahashi
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: