Team A
[ZBX-15133] Certificate-based encryption: signed certificate reported as self-signed Created: 2018 Nov 06 Updated: 2024 Apr 10 Resolved: 2018 Nov 07 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Agent (G), Proxy (P), Server (S) |
| Affects Version/s: | 4.0.1 |
| Fix Version/s: | None |
| Type: | Problem report | Priority: | Minor |
| Reporter: | Nico van Elteren | Assignee: | Andris Mednis |
| Resolution: | Won't fix | Votes: | 0 |
| Labels: | encryption, server | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
ARM or x86-64 based Linux environment |
||
| Team: | Team A |
| Description |
|
Steps to reproduce Compile the latest stable zabbix with openssl support on We configured TLS certificate-based encryption consulting the manuals. Generated a CA certificate, a server certificate, and a client certificate. All three are RSA-based certificates (as the blog indicated that the initial encryption implementation does not support ECC). We used a 4096-bit key for the CA, and 2048-bit keys for the client and server. Openssl certificates were generated with:
cd /home/zabbix/.ssl openssl genrsa -out ca.key 4096 openssl req -x509 -new -sha256 -nodes -key ca.key -days 1095 -out ca.crt openssl genrsa -out server.key 2048 openssl req -new -sha256 -key server.key -nodes -out server.csr openssl x509 -req -sha256 -days 1095 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt chown zabbix.zabbix *
The client certificate was created identically to the server certificate. The server and CA cert have identical Issuer/Subject strings, but the client cert has a different value for the CN field. The server was configured (in the database or web client) to accept only TLS connections and send only TLS connections to a test zabbix proxy. The same was done for the test proxy in its config file.
Result: The client keeps trying and failing to establish a TLS handshake. The message appears very strange:
8052:20181106:114804.883 Unable to connect to the server [HOSTNAME]:10051 [TCP successful, cannot establish TLS to [[HOSTNAME]:10051]: self signed certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c line 1230: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed: TLS write fatal alert "unknown CA"]
The interesting thing to note: 'self signed certificate'. Yet our cert is signed by an (admittedly custom) CA. openssl verify -verbose -CAfile ca.crt client.crt Produces an 'OK' result. Our symptoms appear very similar to https://support.zabbix.com/browse/ZBX-14386?attachmentOrder=desc. Unfortunately this user did not indicate what their configuration problem was or how they solved it, so it's still an unknown to everyone else. There's no useful information in the manual, or anywhere else on the internet for that matter, to be found about this particular exact type of certificate issue though. Expected: While randomly trying things has changed the error message a few times, here we are at a point where there's a huge search space of setting combinations and poor error communication. The proverbial needle in the haystack problem. This by the way is true of any number of certificate issues. The messages are cryptic, unclear, and altogether mislead you around the true problem. It would be so much nicer if zabbix could at least verify various basic things that can be wrong: Examples: 1) Supported/unsupported algorithms (e.g. the ECC issue). As right now, there's too many different ways this can go wrong, and a poor error reporting, which makes debugging any TLS problems very hard. (Part of the problem is admittedly openssl itself and the prolification of hundreds of standards that just do the same thing slightly differently).
|
| Comments |
| Comment by Andris Mednis [ 2018 Nov 06 ] |
|
Thanks for precise problem description!
Here is the problem. For CA it is ok to have Issuer == Subject. For server certificate, signed by the CA, it is not ok !!! No wonder the server certificate is dismissed as self-signed. You can fix the problem by generating a new server certificate (even reusing the same server.key) with Issuer != Subject (just change CN). Proxy certificate is ok as it has Issuer != Subject. |
| Comment by Andris Mednis [ 2018 Nov 06 ] |
|
As of cryptic error messages - Zabbix does not try to interpret OpenSSL error messages and rephrase them into "user-friendly" ones. We capture as much low level information as possible - to find precise root cause faster, even by looking into OpenSSL source code if necessary. |
| Comment by Nico van Elteren [ 2018 Nov 06 ] |
|
I've tried the suggested procedure; by changing the CN for the 'ca' certificate (so the server cert keeps having a matching domain name) from 'zabbix.hostname.com' to 'zabbixca.hostname.com', so now issuer != subject for both the client and server certificates. The exact same error message keeps showing up. As to config file changes from default to enable TLS, as instructed in the manual, it's been done like so: # Client (proxy) config delta; TLSConnect = cert TLSAccept = cert TLSCAFile = /etc/zabbix/.ssl/ca.crt TLSServerCertIssuer = <Reversed ca.crt OpenSSL subject string, except email> TLSServerCertSubject = <Reversed server.crt OpenSSL subject string, except email> TLSCertFile = /etc/zabbix/.ssl/client.crt TLSKeyFile = /etc/zabbix/.ssl/client.key
# Server config delta: TLSCAFile = /home/zabbix/.ssl/ca.crt TLSCertFile = /home/zabbix/.ssl/server.crt TLSKeyFile = /home/zabbix/.ssl/server.key
|
| Comment by Andris Mednis [ 2018 Nov 06 ] |
|
So, CA certificate was changed. Did you use the new CA certificate for signing server and proxy certificate requests and replaced the server and proxy certificates with the new ones ? If not, then server and proxy certificates are still signed with the old CA - and again it is "unknown CA" situation. |
| Comment by Andris Mednis [ 2018 Nov 06 ] |
| Comment by Andris Mednis [ 2018 Nov 07 ] |
|
Closing for now. It does not look like a bug in Zabbix. Feel free to reopen and/or comment. |