Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-15597

Issue when trying to setup webscenario with certificate authentication and encrypted keys

    Details

    • Type: Incident report
    • Status: Elaborating
    • Priority: Trivial
    • Resolution: Unresolved
    • Affects Version/s: 4.0.3
    • Fix Version/s: None
    • Component/s: Proxy (P), Server (S)
    • Labels:
      None
    • Environment:
      Centos 7.6
      openssl 1.0.2k-16
      curl-7.29.0-51
      libcurl-7.29.0-51

      Description

      When trying to setup a webscenario with certificate authentication, some issue appear if : 

      The private is encrypted : The webscenario return : Problem with the local SSL certificate: Unable to load client key: Incorrect password

      If we try a connexion via curl command, the result success : 

       

       

      -bash-4.2$ curl --cert ./certs/utd.pem:XXXXXXXXXX https://mysite/myPage -vv --key ./keys/utd.uncrypt
       
      * About to connect() to XXXXXXXXXX t port 443 (#0)
      * Trying 160.xx.xx.xx.xx...
      * Connected to XXXXXXXXXX  (160.xx.xx.xx.xx) port 443 (#0)
      * Initializing NSS with certpath: sql:/etc/pki/nssdb
      * CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
      * NSS: client certificate from file
      * subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR
      * start date: Jun 29 08:42:25 2018 GMT
      * expire date: Jun 29 09:12:24 2020 GMT
      * common name: XXXXXXXXXX 
      * issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
      * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      * Server certificate:
      * subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR
      * start date: Jun 29 08:42:25 2018 GMT
      * expire date: Jun 29 09:12:24 2020 GMT
      * common name: XXXXXXXXXX 
      * issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
      > GET /itsp/MyPage HTTP/1.1
      > User-Agent: curl/7.29.0
      > Host: XXXXXXXXXX 
      > Accept: */*
      >
      < HTTP/1.1 200 200
       
      

      Key headers : 

      ----BEGIN RSA PRIVATE KEY----
      Proc-Type: 4,ENCRYPTED
      DEK-Info: DES-EDE3-CBC,5612B32DE29FD156

       

      Trying to uncrypt the key via this command :

      openssl rsa -in utd.key -out utd.uncrypt

      will provide this error  Problem with the local SSL certificate: Unable to load client key -8178

      a direct test via curl is success.

      If another webscenario is running well with a certificate authentication but without encrypted key, it will provide error : Problem with the local SSL certificate: Unable to load client key: Incorrect password if the proxy or server is launching only one http pooler process. Launching serveral http pooler seems to correct the problem.

       

      Concerning the server or proxy configuration, i have set following options : 

      SSLCertLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/certs

      SSLKeyLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/keys

      Theses directories are owned by zabbix user and accessible under zabbix users.

       

      Tested under 3.4.14 and 4.0.3 with same OS, openssl and curl/libcurl packages

      All tests has been made without http proxy between servers and ressources

        Attachments

          Activity

            People

            • Assignee:
              edgar.akhmetshin Edgar Akhmetshin
              Reporter:
              landry41 CHRETIEN Landry
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: