[ZBX-15191] Cert Encryption is not working Created: 2018 Nov 20  Updated: 2018 Nov 22  Resolved: 2018 Nov 20

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 4.0.1
Fix Version/s: None

Type: Incident report Priority: Minor
Reporter: asdfg Assignee: Unassigned
Resolution: Won't fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Debian 9, Zabbix Server & Agent 4.0.1


 Description   

 

Hello,

I tried to migrate my agents to encrypted connections. Here are commands How I generated certificates

openssl genrsa -aes256 -out zabbix_ca.key 4096
openssl req -x509 -new -key zabbix_ca.key -sha256 -days 3560 -out zabbix_ca.crt
openssl genrsa -out zabbix_server.key 2048
openssl req -new -key zabbix_server.key -out zabbix_server.csr
openssl x509 -req -in zabbix_server.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_server.crt -days 1460 -sha256
openssl genrsa -out zabbix_agent.key 2048
openssl req -new -key zabbix_agent.key -out zabbix_agent.csr
openssl x509 -req -in zabbix_agent.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_agent.crt -days 1460 -sha256

then I tried to restart zabbix agent

cannot load CA certificate(s) from file "/etc/zabbix/keys/zabbix_ca.crt": file ../crypto/bio/bss_file.c line 74: error:0200100D:system library:fopen:Permission denied: fopen('/etc/zabbix/keys/zabbix_ca.crt','r') file ../crypto/bio/bss_file.c line 83: error:2006D002:BIO routines:BIO_new_file:system lib file ../crypto/x509/by_file.c line 199: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

 Permissions seems be right:

-r-x------ 1 zabbix zabbix 1923 nov 20 11:43 zabbix_ca.crt

Thank you in advance.

 Comments   
Comment by asdfg [ 2018 Nov 20 ]

openssl genrsa -aes256 -out zabbix_ca.key 4096
openssl req -x509 -new -key zabbix_ca.key -sha256 -days 3560 -out zabbix_ca.crt
openssl genrsa -out zabbix_server.key 2048
openssl req -new -key zabbix_server.key -out zabbix_server.csr
openssl x509 -req -in zabbix_server.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_server.crt -days 1460 -sha256
openssl genrsa -out zabbix_agent.key 2048
openssl req -new -key zabbix_agent.key -out zabbix_agent.csr
openssl x509 -req -in zabbix_agent.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_agent.crt -days 1460 -sha256

Comment by Andris Mednis [ 2018 Nov 20 ]

-r-x------ 1 zabbix zabbix 1923 nov 20 11:43 zabbix_ca.crt

is not quite right. Certificate file does not need to be executable.

-r-------- 1 zabbix zabbix 1923 nov 20 11:43 zabbix_ca.crt

would be sufficient.
You could check permissions on parent directories /etc/zabbix/ and /etc/zabbix/keys/ - are they accessible for 'zabbix' user.

Comment by asdfg [ 2018 Nov 20 ]

Same...

 

/etc/zabbix/keys# ls -la
total 44
dr-------- 2 zabbix zabbix 4096 nov 20 13:23 .
drwxr-xr-x 6 root   root   4096 nov 20 13:43 ..
r------- 1 zabbix zabbix 1923 nov 20 12:04 zabbix-ca.crt
r------- 1 zabbix zabbix 3326 nov 20 12:03 zabbix-ca.key
r------- 1 zabbix zabbix   17 nov 20 12:04 zabbix-ca.srl
r------- 1 zabbix zabbix 1456 nov 20 12:04 zabbix-host1.crt
r------- 1 zabbix zabbix  956 nov 20 12:04 zabbix-host1.csr
r------- 1 zabbix zabbix 1679 nov 20 12:04 zabbix-host1.key
r------- 1 zabbix zabbix 1456 nov 20 12:04 zabbix-server.crt
r------- 1 zabbix zabbix  956 nov 20 12:04 zabbix-server.csr
r------- 1 zabbix zabbix 1679 nov 20 12:04 zabbix-server.key

Comment by Andris Mednis [ 2018 Nov 20 ]

You can try

chmod u+x /etc/zabbix/keys
Comment by asdfg [ 2018 Nov 20 ]

Working, thank you.

Generated at Thu May 09 00:52:44 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.