Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-15597

Issue when trying to setup webscenario with certificate authentication and encrypted keys

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Cannot Reproduce
    • Icon: Trivial Trivial
    • None
    • 4.0.3
    • Proxy (P), Server (S)
    • None
    • Centos 7.6
      openssl 1.0.2k-16
      curl-7.29.0-51
      libcurl-7.29.0-51

      When trying to setup a webscenario with certificate authentication, some issue appear if : 

      The private is encrypted : The webscenario return : Problem with the local SSL certificate: Unable to load client key: Incorrect password

      If we try a connexion via curl command, the result success : 

       

       

      -bash-4.2$ curl --cert ./certs/utd.pem:XXXXXXXXXX https://mysite/myPage -vv --key ./keys/utd.uncrypt
 
* About to connect() to XXXXXXXXXX t port 443 (#0)
* Trying 160.xx.xx.xx.xx...
* Connected to XXXXXXXXXX  (160.xx.xx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS: client certificate from file
* subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR
* start date: Jun 29 08:42:25 2018 GMT
* expire date: Jun 29 09:12:24 2020 GMT
* common name: XXXXXXXXXX 
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR
* start date: Jun 29 08:42:25 2018 GMT
* expire date: Jun 29 09:12:24 2020 GMT
* common name: XXXXXXXXXX 
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
> GET /itsp/MyPage HTTP/1.1
> User-Agent: curl/7.29.0
> Host: XXXXXXXXXX 
> Accept: */*
>
< HTTP/1.1 200 200
 

      Key headers : 

      ----BEGIN RSA PRIVATE KEY----
      Proc-Type: 4,ENCRYPTED
      DEK-Info: DES-EDE3-CBC,5612B32DE29FD156

       

      Trying to uncrypt the key via this command :

      openssl rsa -in utd.key -out utd.uncrypt

      will provide this error  Problem with the local SSL certificate: Unable to load client key -8178

      a direct test via curl is success.

      If another webscenario is running well with a certificate authentication but without encrypted key, it will provide error : Problem with the local SSL certificate: Unable to load client key: Incorrect password if the proxy or server is launching only one http pooler process. Launching serveral http pooler seems to correct the problem.

       

      Concerning the server or proxy configuration, i have set following options : 

      SSLCertLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/certs

      SSLKeyLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/keys

      Theses directories are owned by zabbix user and accessible under zabbix users.

       

      Tested under 3.4.14 and 4.0.3 with same OS, openssl and curl/libcurl packages

      All tests has been made without http proxy between servers and ressources

        1. Capture.PNG
          Capture.PNG
          11 kB
        2. Capture-1.PNG
          Capture-1.PNG
          19 kB

            edgar.akhmetshin Edgar Akhmetshin
            landry41 CHRETIEN Landry
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: