Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-20677

Agent 2 web.certificate.get for windows doesn't require cert chain for the verification

    XMLWordPrintable

Details

    • Problem report
    • Status: Confirmed
    • Trivial
    • Resolution: Unresolved
    • 6.0.0
    • None
    • Agent2 plugin (N)
    • None
    • Zabbix Agent 2 6.0.0 on Debian 10

    Description

      The Agent 2 6.0.0 on Debian 10 returns a wrong validation result for one of our systems with very similar certificates:

      Steps to reproduce:

       # zabbix_get -s 127.0.0.1 -k web.certificate.get["intranet.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K1" --tls-psk-file k1
      

      Result:

      6.0/not working
      {"x509":{"version":3,"serial_number":"2502872c6de4037542f07ff8","signature_algorithm":"SHA256-RSA","issuer":"{color:#FF0000}CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE{color}","not_before":\{"value":"Jul 05 13:31:10 2021 GMT","timestamp":1625491870},"not_after":\{"value":"Aug 05 13:31:10 2022 GMT","timestamp":1659706270},"subject":"CN={color:#FF0000}intranet.imbi.uni-heidelberg.de{color},OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE","public_key_algorithm":"RSA","alternative_names":["intranet.imbi.uni-heidelberg.de"]},"result":{"value":"invalid","message":"{color:#FF0000}failed to verify certificate: x509: certificate signed by unknown{color} authority"},"sha1_fingerprint":"5c3a4c5c4af72021df26c5a1b274f51073dbcb4d","sha256_fingerprint":"3431d96e48eae740e3510053bf253fa38328d0d94b453640e01163805532ef8d"}
      

      Expected:

      Result of the certificate in question from an Agent 2 5.4.10 on Windows:

      5.4/working
      zabbix_get -s 129.206.*.* -k web.certificate.get["intranet.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K2" --tls-psk-file k2
      {"x509":{"version":3,"serial_number":"2502872c6de4037542f07ff8","signature_algorithm":"SHA256-RSA","issuer":"{color:#FF0000}CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE{color}","not_before":\{"value":"Jul 05 13:31:10 2021 GMT","timestamp":1625491870},"not_after":\{"value":"Aug 05 13:31:10 2022 GMT","timestamp":1659706270},"subject":"CN={color:#FF0000}intranet.imbi.uni-heidelberg.de{color},OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE","public_key_algorithm":"RSA","alternative_names":["intranet.imbi.uni-heidelberg.de"]},"result":{"value":"valid","message":"{color:#FF0000}certificate verified successfully{color}"},"sha1_fingerprint":"5c3a4c5c4af72021df26c5a1b274f51073dbcb4d","sha256_fingerprint":"3431d96e48eae740e3510053bf253fa38328d0d94b453640e01163805532ef8d"}
      

      Or result of a certificate from the same issuer:

      6.0/working/another certificate
      zabbix_get -s 127.0.0.1 -k web.certificate.get["box.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K1" --tls-psk-file k1
      {"x509":\{"version":3,"serial_number":"2584d2443c7454a7c5e2a2fb","signature_algorithm":"SHA256-RSA","issuer":"CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE","not_before":{"value":"Oct 12 09:26:20 2021 GMT","timestamp":1634030780},"not_after":\{"value":"Nov 12 09:26:20 2022 GMT","timestamp":1668245180},"subject":"{color:#FF0000}CN=box.imbi.uni-heidelberg.de,OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE{color}","public_key_algorithm":"RSA","alternative_names":["box.imbi.uni-heidelberg.de"]},"result":{"value":"valid","message":"{color:#FF0000}certificate verified successfully{color}"},"sha1_fingerprint":"fdeb66d92a8cd0d54227f58a16165d73debe0a91","sha256_fingerprint":"5101c4c20d92b69d8d0817c62d99c5c0344830d6f6a9b45787511660420e2182"}
      

      Attachments

        Activity

          People

            zabbix.dev Zabbix Development Team
            IMBI IMBI
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: