DBTLSConnect set to "required" needs DBTLSCAFile

XMLWordPrintable

    • Type: Problem report
    • Resolution: Unresolved
    • Priority: Trivial
    • None
    • Affects Version/s: 6.0.45rc1, 7.0.24rc1, 7.4.8rc1, 8.0.0alpha2
    • Component/s: Server (S)
    • None
    • Support backlog

      Hello,

      In Zabbix's documentation there is this statement:

      DBTLSConnect
      Setting this option to the following values enforces to use a TLS connection to the database:
      required - connect using TLS
      verify_ca - connect using TLS and verify certificate
      verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost matches its certificate

      With MySQL, starting from 5.7.11, and PostgreSQL the following values are supported: required, verify_ca, verify_full.
      With MariaDB, starting from version 10.2.6, the required and verify_full values are supported.
      By default not set to any option and the behavior depends on database configuration.

      As well as:

      DBTLSCAFile
      The full pathname of a file containing the top-level CA(s) certificates for database certificate verification.

      Mandatory: no (yes, if DBTLSConnect set to verify_ca or verify_full)

      But if for example our admin will set Server config file to:

      # selfsigned certs, created with CFSSL
      DBTLSConnect=required
      DBTLSCertFile=/etc/zabbix/ssl/postgres.pem
      DBTLSKeyFile=/etc/zabbix/ssl/postgres-key.pem
      

      during restart of service, Zabbix Server will not start, and this message would be logged:

      Feb 10 08:16:13 appliance zabbix_server[24569]: zabbix_server [24569]: ERROR: parameter "DBTLSKeyFile" or "DBTLSCertFile" is defined, but "DBTLSKeyFile", "DBTLSCertFile" or "DBTLSCAFile" is not defined
      Feb 10 08:16:13 appliance systemd[1]: Failed to start Zabbix Server.
      

      What i'm missing?
      Happens with both MySQL 8.0/8.4 and PostgreSQL 17, Zabbix 7.0/7.4

      to reproduce:

      1. prepare self-signed certificates, for example with use of https://github.com/cloudflare/cfssl
      2. edit config file, set DBTLSConnect=required, and set correct paths to cert and cert key (zabbix user needs to have access to them)
      3. try to start/restart zabbix-server

            Assignee:
            Zabbix Development Team
            Reporter:
            Tomasz Grzechulski
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: