-
Problem report
-
Resolution: Unresolved
-
Trivial
-
None
-
6.0.0
-
None
-
Zabbix Agent 2 6.0.0 on Debian 10
The Agent 2 6.0.0 on Debian 10 returns a wrong validation result for one of our systems with very similar certificates:
Steps to reproduce:
# zabbix_get -s 127.0.0.1 -k web.certificate.get["intranet.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K1" --tls-psk-file k1
Result:
6.0/not working
{"x509":{"version":3,"serial_number":"2502872c6de4037542f07ff8","signature_algorithm":"SHA256-RSA","issuer":"{color:#FF0000}CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE{color}","not_before":\{"value":"Jul 05 13:31:10 2021 GMT","timestamp":1625491870},"not_after":\{"value":"Aug 05 13:31:10 2022 GMT","timestamp":1659706270},"subject":"CN={color:#FF0000}intranet.imbi.uni-heidelberg.de{color},OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE","public_key_algorithm":"RSA","alternative_names":["intranet.imbi.uni-heidelberg.de"]},"result":{"value":"invalid","message":"{color:#FF0000}failed to verify certificate: x509: certificate signed by unknown{color} authority"},"sha1_fingerprint":"5c3a4c5c4af72021df26c5a1b274f51073dbcb4d","sha256_fingerprint":"3431d96e48eae740e3510053bf253fa38328d0d94b453640e01163805532ef8d"}
Expected:
Result of the certificate in question from an Agent 2 5.4.10 on Windows:
5.4/working
zabbix_get -s 129.206.*.* -k web.certificate.get["intranet.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K2" --tls-psk-file k2
{"x509":{"version":3,"serial_number":"2502872c6de4037542f07ff8","signature_algorithm":"SHA256-RSA","issuer":"{color:#FF0000}CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE{color}","not_before":\{"value":"Jul 05 13:31:10 2021 GMT","timestamp":1625491870},"not_after":\{"value":"Aug 05 13:31:10 2022 GMT","timestamp":1659706270},"subject":"CN={color:#FF0000}intranet.imbi.uni-heidelberg.de{color},OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE","public_key_algorithm":"RSA","alternative_names":["intranet.imbi.uni-heidelberg.de"]},"result":{"value":"valid","message":"{color:#FF0000}certificate verified successfully{color}"},"sha1_fingerprint":"5c3a4c5c4af72021df26c5a1b274f51073dbcb4d","sha256_fingerprint":"3431d96e48eae740e3510053bf253fa38328d0d94b453640e01163805532ef8d"}
Or result of a certificate from the same issuer:
6.0/working/another certificate
zabbix_get -s 127.0.0.1 -k web.certificate.get["box.imbi.uni-heidelberg.de"] --tls-connect psk --tls-psk-identity "K1" --tls-psk-file k1
{"x509":\{"version":3,"serial_number":"2584d2443c7454a7c5e2a2fb","signature_algorithm":"SHA256-RSA","issuer":"CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE","not_before":{"value":"Oct 12 09:26:20 2021 GMT","timestamp":1634030780},"not_after":\{"value":"Nov 12 09:26:20 2022 GMT","timestamp":1668245180},"subject":"{color:#FF0000}CN=box.imbi.uni-heidelberg.de,OU=Institut fuer Medizinische Biometrie,O=Ruprecht-Karls-Universitaet Heidelberg,L=Heidelberg,ST=Baden-Wuerttemberg,C=DE{color}","public_key_algorithm":"RSA","alternative_names":["box.imbi.uni-heidelberg.de"]},"result":{"value":"valid","message":"{color:#FF0000}certificate verified successfully{color}"},"sha1_fingerprint":"fdeb66d92a8cd0d54227f58a16165d73debe0a91","sha256_fingerprint":"5101c4c20d92b69d8d0817c62d99c5c0344830d6f6a9b45787511660420e2182"}
