Hello,

In Zabbix's documentation there is this statement:

DBTLSConnect
Setting this option to the following values enforces to use a TLS connection to the database:
required - connect using TLS
verify_ca - connect using TLS and verify certificate
verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost matches its certificate

With MySQL, starting from 5.7.11, and PostgreSQL the following values are supported: required, verify_ca, verify_full.
With MariaDB, starting from version 10.2.6, the required and verify_full values are supported.
By default not set to any option and the behavior depends on database configuration.

As well as:

DBTLSCAFile
The full pathname of a file containing the top-level CA(s) certificates for database certificate verification.

Mandatory: no (yes, if DBTLSConnect set to verify_ca or verify_full)

But if for example our admin will set Server config file to:

# selfsigned certs, created with CFSSL
DBTLSConnect=required
DBTLSCertFile=/etc/zabbix/ssl/postgres.pem
DBTLSKeyFile=/etc/zabbix/ssl/postgres-key.pem

during restart of service, Zabbix Server will not start, and this message would be logged:

Feb 10 08:16:13 appliance zabbix_server[24569]: zabbix_server [24569]: ERROR: parameter "DBTLSKeyFile" or "DBTLSCertFile" is defined, but "DBTLSKeyFile", "DBTLSCertFile" or "DBTLSCAFile" is not defined
Feb 10 08:16:13 appliance systemd[1]: Failed to start Zabbix Server.

What i'm missing?
Happens with both MySQL 8.0/8.4 and PostgreSQL 17, Zabbix 7.0/7.4

to reproduce:

1. prepare self-signed certificates, for example with use of https://github.com/cloudflare/cfssl
2. edit config file, set DBTLSConnect=required, and set correct paths to cert and cert key (zabbix user needs to have access to them)
3. try to start/restart zabbix-server