-
Problem report
-
Resolution: Unresolved
-
Trivial
-
6.0.34rc1, 7.0.4rc1, 7.2.0alpha1
-
Prev.Sprint, S24-W44/45, S24-W46/47
-
2
Steps to reproduce:
- Set up agent 2 to accept both - PSK and Cert encrypted connection (config example below);
- Also enable cert issuer or cert subject validation;
- Try to connect to agent 2 with PSK encryption.
Result:
The connection always fails. It tries to validate a certificate that does not exist.
Agent 2 log shows error:
2024/09/19 10:46:24.816361 failed to process an incoming connection from 127.0.0.1: cannot obtain peer certificate
Expected:
On agent 1 both - PSK and Certs work in the above scenario.
More info:
Config example (this is the complete agent 2 config I used when I found this):
LogFile=/tmp/zabbix_agent2.log
Server=127.0.0.1
TLSConnect=cert
TLSAccept=psk,cert
TLSCAFile=/home/zabbix/cert/ca/ca-self-signed-cert.pem
TLSServerCertIssuer=CN=My CA authority
TLSServerCertSubject=CN=your.server.domain
TLSCertFile=/home/zabbix/cert/agent/agent-cert.pem
TLSKeyFile=/home/zabbix/cert/agent/agent-private-key.pem
TLSPSKIdentity=PSK 001
TLSPSKFile=/home/zabbix/cert/psk/agent.psk
If you comment out both of these, PSK works fine:
Corresponding server conf (7.0) (it even has the certs set up for cert authentication):
TLSCAFile=/home/zabbix/cert/ca/ca-self-signed-cert.pem
TLSCertFile=/home/zabbix/cert/server/server-cert.pem
TLSKeyFile=/home/zabbix/cert/server/server-private-key.pem
LogFile=/tmp/zabbix_server.log
DBName=7.0
DBUser=zabbix
DBPassword=zabbix
DBPassword=zabbix
StartJavaPollers=1
StartJavaPollers=10
Timeout=4
LogSlowQueries=3000
StatsAllowedIP=127.0.0.1
EnableGlobalScripts=0
