Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-17604

Zabbix TLS "unknown CA" with connections agent-active cert signed by intermediate CA

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • None
    • 4.4.7
    • None
    • Docker

      **All the details of issue reproduction are explained in the issue reproducer I made for this issue: github.com/jadbaz/zabbix-tls-unknown-ca-issue-reproducer

      I've put a lot of effort into making this MCVE because I think this is a non-trivial issue  and that this will speed up debugging

      Check out the instructions in the repo and run with "--inter" and without
      Result
      Agent:

      active check configuration update from [zabbix-server:10051] started to fail (TCP successful, cannot establish TLS to [[zabbix-server]:10051]: invalid CA certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/statem/statem_clnt.c line 1913: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: TLS write fatal alert "unknown CA")

      Server

      failed to accept an incoming connection: from <IP>: TLS handshake set result code to 1: file ssl/record/rec_layer_s3.c line 1543: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"

       
      Expected
      **Expected for the agent to connect to the server without any errors

      Issue description
      I have an agent connected to a zabbix server with 1 active check. This agent is configured to use encryption for "connections from host". 

      In the "root CA" mode, I am doing the following:

      • Generating a root CA key and self-signed cert
      • Generating a server key
      • Creating a server CSR
      • Signing the CSR by the root CA
      • Generating an agent key
      • Creating an agent CSR
      • Signing the CSR by the root CA

      For cert files

      • In Zabbix CA file, I include
        • root CA cert
      • In zabbix_server.crt I include in order
        • server cert
        • root CA cert
      • In zabbix_server.crt I include in order
        • agent cert
        • root CA cert

      In the "intermediate CA" mode, I am doing the following (bold parts are different or added):

      • Generating a root CA key and self-signed cert
      • Creating an intermediate CA key
      • Creating an intermediate CA CSR
      • Signing the CSR by the root CA
      • Generating a server key
      • Creating a server CSR
      • Signing the CSR by the intermediate CA
      • Generating an agent key
      • Creating an agent CSR
      • Signing the CSR by the intermediate CA

      For cert files

      • In Zabbix CA file, I include
        • root CA cert
        • intermediate CA cert
      • In zabbix_server.crt I include in order
        • server cert
        • intermediate CA cert
        • root CA cert
      • In zabbix_server.crt I include in order
        • agent cert
        • intermediate CA cert
        • root CA cert

      Moreover, I am attaching both "/var/lib/zabbix/enc" directories when using root only and when using intermediate CA (they are mounted by agent and server).

        1. zabbix-tls-unknown-ca-issue-reproducer-enc-intermediate.zip
          23 kB
        2. zabbix-tls-unknown-ca-issue-reproducer-enc-root.zip
          17 kB

            rvaliahmetovs Renats Valiahmetovs (Inactive)
            jad123 Jad
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: