-
Change Request
-
Resolution: Unresolved
-
Trivial
-
None
-
6.0.31, 7.0.0
-
None
-
Debian 12
Using SSLCALocation has poorly documented caveats. Motivated by https://support.zabbix.com/browse/ZBX-14386 .
Override the location of certificate authority (CA) files for SSL server certificate verification. If not set, system-wide directory will be used. Note that the value of this parameter will be set as libcurl option CURLOPT_CAPATH. For libcurl versions before 7.42.0, this only has effect if libcurl was compiled to use OpenSSL. For more information see cURL web page. This parameter is used in web monitoring and in SMTP authentication.
zabbix_server.conf says
### Option: SSLCALocation # Override the location of certificate authority (CA) files for SSL server certificate verification. # If not set, system-wide directory will be used. # This parameter is used in web monitoring, SMTP authentication, HTTP agent items and for communication with Vault. # # Mandatory: no # Default: # SSLCALocation=
Both are missing critical hits needed for getting this right:
- SSLCALocation must be a directory, easy to confuse with TLSCAFile. I suggest adding a validation this is valid, accessible directory and log a warning if not.
- This directory must be prepared prepared using the OpenSSL c_rehash utility. I suggest documenting this critical step in documentation and in example config file.
