Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20522

Windows CA Certificate error "unknown CA"

    XMLWordPrintable

Details

    • Problem report
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • None
    • None
    • Server (S)
    • None
    • Zabbix Server 5.4.6 on Red Hat Enterprise Linux 8.4 (Ootpa) OpenSSL 1.1.1g FIPS 21 Apr 2020

    Description

      Steps to reproduce:

      Currently Zabbix Server is working with no problems with self-sign certificate.
      I have been asked to change certificate from self-sign to CA Certificate.

      I have follow the instructions on the forum
      ( https://www.zabbix.com/forum/zabbix-help/383231-proxy-and-agent-encryption-cert-from-windows-ca)

      Steps taken for Certificate files creation:
      1. Open "Certificate Authority" --> Certificate Templates --> Manage --> Duplicate one template
      2. Open "Certificate Authority" --> Right click on the organization --> Properties --> General --> View Certificate --> Details --> Copy to File --> Export in DER format – > Save file as ca_cert.cer
      3. Copy the ca_cert.cer from the CA server to the working directory
      4. openssl x509 -inform der -in ca_cert.cer -out ca_cert.pem
      5. openssl req -new -newkey rsa:4096 -nodes -keyout client_csr.key -out client_csr.csr
      6. openssl req -new -newkey rsa:4096 -nodes -keyout server_csr.key -out server_csr.csr
      7. Go to Request a certificate on my CA's cert portal --> Submit a certificate request --> Paste in the client cert and select the template created before. Do the same for the server cert. Download the certs (not chain) and save to the working directory as client_cert.cer for the client and server_cert.cer for the Server.
      8. openssl x509 -inform der -in client_cert.cer -out client.crt
      9. openssl x509 -inform der -in server_cert.cer -out server.crt
      10. openssl x509 -text -noout -in ca_cert.pem | cat > zabbix_ca_file && cat ca_cert.pem >> zabbix_ca_file
      11. openssl x509 -text -noout -in client.crt | cat > zabbix_client.crt && cat client.crt >> zabbix_client.crt
      12. openssl x509 -text -noout -in server.crt | cat > zabbix_server.crt && cat server.crt >> zabbix_server.crt
      13. Copy zabbix_ca_file, zabbix_client.crt and client_csr.key to the Zabbix proxy. Place them under a directory like /etc/zabbix/certs
      14. Copy zabbix_ca_file, zabbix_server.crt and server_csr.key to the Zabbix server. Place them under a directory like /etc/zabbix/certs
      15. Update Proxy configuration files with TLS values:

      TLSConnect=cert
      TLSAccept=cert
      TLSCAFile=/etc/zabbix/certs/zabbix_ca_file
      TLSServerCertIssuer=CN=COMPANY,DC=DOMAIN,DC=com
      TLSServerCertSubject=CN=ZABBIX.DOMAIN.COM,OU=DEPARTMENT,O=COMPANY,L=CITY,ST=STATE,C=COUNTRYCODE
      TLSCertFile=/etc/zabbix/certs/zabbix_proxy.crt
      TLSKeyFile=/etc/zabbix/certs/zabbix_proxy.key
      

      16. Update Server configuration files with TLS values:

      TLSCAFile=/etc/zabbix/certs/zabbix_ca_file
      TLSCertFile=/etc/zabbix/certs/zabbix_server.crt
      TLSKeyFile=/etc/zabbix/certs/zabbix_server.key
      

      17. In the Zabbix UI, under the proxy encryption config, update the Issuer or Subject
      18. restart Zabbix Server And Zabbix Proxy services.

      ls - file - commands output:

      [[email protected]]# ls -l zabbix_ca_file
      -rwx------ 1 zabbix zabbix 5870 Jan 30 16:24 zabbix_ca_file
      
      [[email protected]]# ls -l zabbix_server.crt
      -rwx------ 1 zabbix zabbix 7704 Jan 30 16:24 zabbix_server.crt
      
      [[email protected]]# ls -l server_csr.key
      -rwx------ 1 zabbix zabbix 3272 Jan 30 16:25 server_csr.key
      
      [[email protected]]# file zabbix_ca_file
      zabbix_ca_file: ASCII text
      
      [[email protected]]# file zabbix_server.crt
      zabbix_server.crt: ASCII text, with CR, LF line terminators
      
      [[email protected]]# file server_csr.key
      server_csr.key: ASCII text
      

      Result:

      Checking /var/log/zabbix/zabbix_server.log:

      3866930:20220130:171905.062 cannot connect to proxy "HOSTNAME": TCP successful, cannot establish TLS to [[HOST-IP]:10051]: unable to get issuer certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ssl/statem/statem_clnt.c line 1915: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: TLS write fatal alert "unknown CA"
      

      Checking /var/log/zabbix/zabbix_proxy.log:

      1589690:20220130:171908.611 failed to accept an incoming connection: from HOST-IP: TLS handshake set result code to 1: file ssl/record/rec_layer_s3.c line 1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48: TLS read fatal alert "unknown CA"
      

      Expected:
      See the connection successful.

      Attachments

        1. zabbix_ca_file-1.png
          zabbix_ca_file-1.png
          17 kB
        2. zabbix_ca_file-2.png
          zabbix_ca_file-2.png
          18 kB
        3. zabbix_ca_file-3.png
          zabbix_ca_file-3.png
          12 kB
        4. zabbix_client-1.png
          zabbix_client-1.png
          17 kB
        5. zabbix_client-2.png
          zabbix_client-2.png
          18 kB
        6. zabbix_client-3.png
          zabbix_client-3.png
          12 kB
        7. zabbix_server-1.png
          zabbix_server-1.png
          17 kB
        8. zabbix_server-2.png
          zabbix_server-2.png
          18 kB
        9. zabbix_server-3.png
          zabbix_server-3.png
          12 kB

        Activity

          People

            zalex_ua Oleksii Zagorskyi
            henp Hen Padeh
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: