Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-5324

Allow to reload TLS parameters without restart of proxy/server daemon

XMLWordPrintable

    • Icon: Change Request Change Request
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 4.0.10, 4.2.4
    • Proxy (P), Server (S)
    • None

      Hello,

      Please allow reloading TLS related parameters without zabbix_server or zabbix_proxy daemon restart. The related settings are:

      ####### TLS-RELATED PARAMETERS #######

### Option: TLSCAFile
# Full pathname of a file containing the top-level CA(s) certificates for
# peer certificate verification.
#
# Mandatory: no
# Default:
# TLSCAFile=

### Option: TLSCRLFile
# Full pathname of a file containing revoked certificates.
#
# Mandatory: no
# Default:
# TLSCRLFile=

### Option: TLSCertFile
# Full pathname of a file containing the server certificate or certificate chain.
#
# Mandatory: no
# Default:
# TLSCertFile=

### Option: TLSKeyFile
# Full pathname of a file containing the server private key.
#
# Mandatory: no
# Default:
# TLSKeyFile=

      In a real-life situation, the path (inside zabbix_proxy.conf) of CA file, cert file and the key file will remain untouched.

      The idea is for the live daemon is to pick up the new cert file, new key file using the same path. No extra re-read from zabbix_server.conf or zabbix_proxy.conf. Only the content of crt, key, CA now file is different.

      Before certificate gets re-loaded into the running backend daemon it must validate itself using CA file.

       

      The way how I imagine this is by typing:

      zabbix_proxy -R tls_reload

      Regards,

            wiper Andris Zeila
            aigars.kadikis Aigars Kadikis
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: