[ZBX-15597] Issue when trying to setup webscenario with certificate authentication and encrypted keys Created: 2019 Feb 05 Updated: 2019 Jul 22 Resolved: 2019 Jul 22 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Proxy (P), Server (S) |
Affects Version/s: | 4.0.3 |
Fix Version/s: | None |
Type: | Incident report | Priority: | Trivial |
Reporter: | CHRETIEN Landry | Assignee: | Edgar Akhmetshin |
Resolution: | Cannot Reproduce | Votes: | 1 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Centos 7.6 |
Attachments: | Capture-1.PNG Capture.PNG |
Description |
When trying to setup a webscenario with certificate authentication, some issue appear if : The private is encrypted : The webscenario return : Problem with the local SSL certificate: Unable to load client key: Incorrect password If we try a connexion via curl command, the result success :
-bash-4.2$ curl --cert ./certs/utd.pem:XXXXXXXXXX https://mysite/myPage -vv --key ./keys/utd.uncrypt * About to connect() to XXXXXXXXXX t port 443 (#0) * Trying 160.xx.xx.xx.xx... * Connected to XXXXXXXXXX (160.xx.xx.xx.xx) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS: client certificate from file * subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR * start date: Jun 29 08:42:25 2018 GMT * expire date: Jun 29 09:12:24 2020 GMT * common name: XXXXXXXXXX * issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR * start date: Jun 29 08:42:25 2018 GMT * expire date: Jun 29 09:12:24 2020 GMT * common name: XXXXXXXXXX * issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US > GET /itsp/MyPage HTTP/1.1 > User-Agent: curl/7.29.0 > Host: XXXXXXXXXX > Accept: */* > < HTTP/1.1 200 200 Key headers : ----
Trying to uncrypt the key via this command : openssl rsa -in utd.key -out utd.uncrypt will provide this error Problem with the local SSL certificate: Unable to load client key -8178 a direct test via curl is success. If another webscenario is running well with a certificate authentication but without encrypted key, it will provide error : Problem with the local SSL certificate: Unable to load client key: Incorrect password if the proxy or server is launching only one http pooler process. Launching serveral http pooler seems to correct the problem.
Concerning the server or proxy configuration, i have set following options : SSLCertLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/certs SSLKeyLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/keys Theses directories are owned by zabbix user and accessible under zabbix users.
Tested under 3.4.14 and 4.0.3 with same OS, openssl and curl/libcurl packages All tests has been made without http proxy between servers and ressources |
Comments |
Comment by Arturs Lontons [ 2019 Feb 06 ] |
Hi, Please increase the http_poller log level to 5, perform the web scenario check and provide the zabbix_server.log with the corresponding entries. You can increase the log level either by running the command
zabbix_server -R log_level_increase="http poller"
Or by increasing the debug level in the zabbix-server.conf file and restarting the server: DebugLevel=5 |
Comment by CHRETIEN Landry [ 2019 Feb 06 ] |
1st webscenario that need the password to uncrypt the key : 11719:20190206:131626.301 query [txnlev:0] [select name,value,type from httptest_field where httptestid=1 order by httptest_fieldid] 11719:20190206:131626.301 In substitute_simple_macros() data:'Zabbix' 11719:20190206:131626.301 In substitute_simple_macros() data:'utd.pem' 11719:20190206:131626.302 In substitute_simple_macros() data:'utd.key' 11719:20190206:131626.302 In substitute_simple_macros() data:'(HIDEN PASSWORD)' 11719:20190206:131626.302 In http_process_variables() 0 variables 11719:20190206:131626.302 End of http_process_variables():SUCCEED 11719:20190206:131626.302 In process_httptest() httptestid:1 name:'[G][UTD]GET XXXXXXXX.as8677.net' 11719:20190206:131626.302 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=1 order by no] 11719:20190206:131626.303 In substitute_simple_macros() data:'1m' 11719:20190206:131626.303 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/utd.pem' 11719:20190206:131626.303 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/utd.key' 11719:20190206:131626.303 In substitute_simple_macros() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 11719:20190206:131626.303 In http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 11719:20190206:131626.303 End of http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 11719:20190206:131626.303 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=1 order by httpstep_fieldid] 11719:20190206:131626.304 In substitute_simple_macros() data:'15s' 11719:20190206:131626.304 In substitute_simple_macros() data:EMPTY 11719:20190206:131626.304 In substitute_simple_macros() data:'200' 11719:20190206:131626.304 process_httptest() use step "GET /itsp/watchservicePage" 11719:20190206:131626.304 process_httptest() use post "" 11719:20190206:131626.304 process_httptest() go to URL "https://XXXXXXXX.as8677.net/itsp/watchservicePage" 11719:20190206:131627.352 query without transaction detected 11719:20190206:131627.352 query [txnlev:0] [update httptest set nextcheck=1549455447 where httptestid=1] 11719:20190206:131627.365 cannot process step "GET /itsp/watchservicePage" of web scenario "[G][UTD]GET XXXXXXXX.as8677.net" on host "XXXXXXXX.as8677.net": Problem with the local SSL certificate: Unable to load client key: Incorrect password 11719:20190206:131627.365 In process_test_data() 11719:20190206:131627.365 query [txnlev:0] [select type,itemid from httptestitem where httptestid=1] 11719:20190206:131627.366 In zbx_preprocess_item_value() 11719:20190206:131627.366 End of zbx_preprocess_item_value() 11719:20190206:131627.366 In zbx_preprocess_item_value() 11719:20190206:131627.366 End of zbx_preprocess_item_value() 11719:20190206:131627.366 In zbx_preprocess_item_value() 11719:20190206:131627.367 End of zbx_preprocess_item_value() 11719:20190206:131627.367 End of process_test_data() 11719:20190206:131627.367 In zbx_ipc_socket_write() 11719:20190206:131627.367 End of zbx_ipc_socket_write():SUCCEED 11719:20190206:131627.367 End of process_httptest()
2nd webscenario that doesn't need any password :
Note that this webscenario was perfectly working when the 1st one is disabled or if i set the password filed empty and server configured with only 1 http poller. 11719:20190206:131627.367 query [txnlev:0] [select name,value,type from httptest_field where httptestid=3 order by httptest_fieldid] 11719:20190206:131627.368 In substitute_simple_macros() data:'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' 11719:20190206:131627.368 In substitute_simple_macros() data:'pspgtwPRDClientCertif.pem' 11719:20190206:131627.368 In substitute_simple_macros() data:'pspgtwPRDClientCertif.key' 11719:20190206:131627.368 In substitute_simple_macros() data:EMPTY 11719:20190206:131627.368 In http_process_variables() 0 variables 11719:20190206:131627.368 End of http_process_variables():SUCCEED 11719:20190206:131627.368 In process_httptest() httptestid:3 name:'psp-gateway-authorisationws-ws' 11719:20190206:131627.368 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=3 order by no] 11719:20190206:131627.370 In substitute_simple_macros() data:'1m' 11719:20190206:131627.370 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/pspgtwPRDClientCertif.pem' 11719:20190206:131627.370 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/pspgtwPRDClientCertif.key' 11719:20190206:131627.370 In substitute_simple_macros() data:'https://{HOST.DNS}/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:131627.370 End substitute_simple_macros() data:'https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:131627.371 In http_substitute_variables() data:'https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:131627.371 End of http_substitute_variables() data:'https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:131627.371 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=3 order by httpstep_fieldid] 11719:20190206:131627.373 In substitute_simple_macros() data:'15s' 11719:20190206:131627.373 In substitute_simple_macros() data:EMPTY 11719:20190206:131627.373 In substitute_simple_macros() data:EMPTY 11719:20190206:131627.373 process_httptest() use step "surveillanceAW" 11719:20190206:131627.373 process_httptest() use post "" 11719:20190206:131627.374 process_httptest() go to URL "https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp" 11719:20190206:131627.433 query without transaction detected 11719:20190206:131627.434 query [txnlev:0] [update httptest set nextcheck=1549455447 where httptestid=3] 11719:20190206:131627.442 cannot process step "surveillanceAW" of web scenario "psp-gateway-authorisationws-ws" on host "XXXXXXXX.worldline.com": Problem with the local SSL certificate: Unable to load client key: Incorrect password Log showing a success a the 2nd webscenario when the 1st is disabled :
11719:20190206:130825.117 query [txnlev:0] [select name,value,type from httptest_field where httptestid=3 order by httptest_fieldid] 11719:20190206:130825.117 In substitute_simple_macros() data:'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' 11719:20190206:130825.117 In substitute_simple_macros() data:'pspgtwPRDClientCertif.pem' 11719:20190206:130825.117 In substitute_simple_macros() data:'pspgtwPRDClientCertif.key' 11719:20190206:130825.117 In substitute_simple_macros() data:EMPTY 11719:20190206:130825.117 In http_process_variables() 0 variables 11719:20190206:130825.117 End of http_process_variables():SUCCEED 11719:20190206:130825.117 In process_httptest() httptestid:3 name:'psp-gateway-authorisationws-ws' 11719:20190206:130825.117 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=3 order by no] 11719:20190206:130825.118 In substitute_simple_macros() data:'1m' 11719:20190206:130825.118 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/pspgtwPRDClientCertif.pem' 11719:20190206:130825.118 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/pspgtwPRDClientCertif.key' 11719:20190206:130825.118 In substitute_simple_macros() data:'https://{HOST.DNS}/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:130825.118 End substitute_simple_macros() data:'https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:130825.118 In http_substitute_variables() data:'https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:130825.118 End of http_substitute_variables() data:'https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 11719:20190206:130825.118 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=3 order by httpstep_fieldid] 11719:20190206:130825.118 In substitute_simple_macros() data:'15s' 11719:20190206:130825.118 In substitute_simple_macros() data:EMPTY 11719:20190206:130825.118 In substitute_simple_macros() data:EMPTY 11719:20190206:130825.118 process_httptest() use step "surveillanceAW" 11719:20190206:130825.118 process_httptest() use post "" 11719:20190206:130825.118 process_httptest() go to URL "https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp" 11719:20190206:130825.351 process_httptest() page.data from https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp:' 06/02/19 13:08 : _surveillanceOK_' 11719:20190206:130825.351 In http_process_variables() 0 variables 11719:20190206:130825.351 End of http_process_variables():SUCCEED 11719:20190206:130825.351 In http_process_variables() 0 variables 11719:20190206:130825.351 End of http_process_variables():SUCCEED 11719:20190206:130825.352 In process_step_data() rspcode:200 time:0.232812 speed:167.000000
Sorry, i had to hide some sensible datas in present logs
|
Comment by CHRETIEN Landry [ 2019 Feb 06 ] |
Following logs are if more than one http poller is definied and for the same webscenario : (SSL error seems different)
13040:20190206:133345.097 query [txnlev:0] [select name,value,type from httptest_field where httptestid=1 order by httptest_fieldid] 13040:20190206:133345.098 In substitute_simple_macros() data:'Zabbix' 13040:20190206:133345.098 In substitute_simple_macros() data:'utd.pem' 13040:20190206:133345.098 In substitute_simple_macros() data:'utd.key' 13040:20190206:133345.099 In substitute_simple_macros() data:'(HIDEN PASSWORD)' 13040:20190206:133345.099 In http_process_variables() 0 variables 13040:20190206:133345.099 End of http_process_variables():SUCCEED 13040:20190206:133345.099 In process_httptest() httptestid:1 name:'[G][UTD]GET XXXXXXXX.as8677.net' 13040:20190206:133345.099 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=1 order by no] 13040:20190206:133345.100 In substitute_simple_macros() data:'1m' 13040:20190206:133345.100 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/utd.pem' 13040:20190206:133345.100 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/utd.key' 13040:20190206:133345.100 In substitute_simple_macros() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 13040:20190206:133345.100 In http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 13040:20190206:133345.100 End of http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 13040:20190206:133345.100 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=1 order by httpstep_fieldid] 13040:20190206:133345.101 In substitute_simple_macros() data:'15s' 13040:20190206:133345.101 In substitute_simple_macros() data:EMPTY 13040:20190206:133345.101 In substitute_simple_macros() data:'200' 13040:20190206:133345.101 process_httptest() use step "GET /itsp/watchservicePage" 13040:20190206:133345.101 process_httptest() use post "" 13040:20190206:133345.101 process_httptest() go to URL "https://XXXXXXXX.as8677.net/itsp/watchservicePage" 13040:20190206:133345.262 query without transaction detected 13040:20190206:133345.262 query [txnlev:0] [update httptest set nextcheck=1549456485 where httptestid=1] 13040:20190206:133345.268 cannot process step "GET /itsp/watchservicePage" of web scenario "[G][UTD]GET XXXXXXXX" on host "XXXXXXXX.as8677.net": SSL connect error: SSL peer was unable to negotiate an acceptable set of security parameters. 13040:20190206:133345.268 In process_test_data() 13040:20190206:133345.268 query [txnlev:0] [select type,itemid from httptestitem where httptestid=1] 13040:20190206:133345.269 In zbx_preprocess_item_value() 13040:20190206:133345.269 End of zbx_preprocess_item_value() 13040:20190206:133345.269 In zbx_preprocess_item_value() 13040:20190206:133345.269 End of zbx_preprocess_item_value() 13040:20190206:133345.269 In zbx_preprocess_item_value() 13040:20190206:133345.270 End of zbx_preprocess_item_value() 13040:20190206:133345.270 End of process_test_data() 13040:20190206:133345.270 In zbx_ipc_socket_write() 13040:20190206:133345.270 End of zbx_ipc_socket_write():SUCCEED 13040:20190206:133345.270 End of process_httptest() 13040:20190206:133345.270 End of process_httptests() 13040:20190206:133345.270 query [txnlev:0] [select min(t.nextcheck) from httptest t,hosts h where t.hostid=h.hostid and mod(t.httptestid,2)=1 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)] 13040:20190206:133345.271 __zbx_zbx_setproctitle() title:'http poller #2 [got 1 values in 0.174298 sec, idle 1 sec]' 13039:20190206:133345.587 __zbx_zbx_setproctitle() title:'http poller #1 [got 0 values in 0.001603 sec, getting values]' 13039:20190206:133345.587 In process_httptests() 13039:20190206:133345.587 query [txnlev:0] [select h.hostid,h.host,h.name,t.httptestid,t.name,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host,t.delay from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1549456425 and mod(t.httptestid,2)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)] 13039:20190206:133345.589 End of process_httptests() THIS SCENARIO IS WORKING AGAIN ------------------------------- 13039:20190206:133345.589 query [txnlev:0] [select min(t.nextcheck) from httptest t,hosts h where t.hostid=h.hostid and mod(t.httptestid,2)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)] 13039:20190206:133345.590 No httptests to process in get_minnextcheck. 13039:20190206:133345.590 __zbx_zbx_setproctitle() title:'http poller #1 [got 0 values in 0.001723 sec, idle 5 sec]' 13040:20190206:133346.274 __zbx_zbx_setproctitle() title:'http poller #2 [got 1 values in 0.174298 sec, getting values]' 13040:20190206:133346.274 In process_httptests() 13040:20190206:133346.274 query [txnlev:0] [select h.hostid,h.host,h.name,t.httptestid,t.name,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host,t.delay from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1549456426 and mod(t.httptestid,2)=1 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)] 13040:20190206:133346.275 query [txnlev:0] [select name,value,type from httptest_field where httptestid=3 order by httptest_fieldid] 13040:20190206:133346.276 In substitute_simple_macros() data:'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' 13040:20190206:133346.276 In substitute_simple_macros() data:'pspgtwPRDClientCertif.pem' 13040:20190206:133346.276 In substitute_simple_macros() data:'pspgtwPRDClientCertif.key' 13040:20190206:133346.276 In substitute_simple_macros() data:EMPTY 13040:20190206:133346.276 In http_process_variables() 0 variables 13040:20190206:133346.277 End of http_process_variables():SUCCEED 13040:20190206:133346.277 In process_httptest() httptestid:3 name:'psp-gateway-authorisationws-ws' 13040:20190206:133346.277 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=3 order by no] 13040:20190206:133346.277 In substitute_simple_macros() data:'1m' 13040:20190206:133346.278 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/pspgtwPRDClientCertif.pem' 13040:20190206:133346.278 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/pspgtwPRDClientCertif.key' 13040:20190206:133346.278 In substitute_simple_macros() data:'https://{HOST.DNS}/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 13040:20190206:133346.278 End substitute_simple_macros() data:'https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 13040:20190206:133346.278 In http_substitute_variables() data:'https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 13040:20190206:133346.278 End of http_substitute_variables() data:'https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp' 13040:20190206:133346.278 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=3 order by httpstep_fieldid] 13040:20190206:133346.279 In substitute_simple_macros() data:'15s' 13040:20190206:133346.279 In substitute_simple_macros() data:EMPTY 13040:20190206:133346.279 In substitute_simple_macros() data:EMPTY 13040:20190206:133346.279 process_httptest() use step "surveillanceAW" 13040:20190206:133346.280 process_httptest() use post "" 13040:20190206:133346.280 process_httptest() go to URL "https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp" 13040:20190206:133346.501 process_httptest() page.data from https:// XXXXXXXX .worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp:' 06/02/19 13:33 : _surveillanceOK_' 13040:20190206:133346.501 In http_process_variables() 0 variables 13040:20190206:133346.501 End of http_process_variables():SUCCEED 13040:20190206:133346.501 In http_process_variables() 0 variables 13040:20190206:133346.501 End of http_process_variables():SUCCEED 13040:20190206:133346.502 In process_step_data() rspcode:200 time:0.220936 speed:176.000000
Tested under 3.4.14 (with zabbix-proxy ) and 4.0.3 (standalone server on vmware) |
Comment by Arturs Lontons [ 2019 Feb 07 ] |
Hi,
zabbix_server -R log_level_increase="http poller"
And please provide logs only for the web scenario which is failing.
|
Comment by CHRETIEN Landry [ 2019 Feb 07 ] |
Hello, please find the log here : 13231:20190207:105321.880 query [txnlev:0] [select h.hostid,h.host,h.name,t.httptestid,t.name,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host,t.delay from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1549533201 and mod(t.httptestid,1)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)] 13231:20190207:105321.881 query [txnlev:0] [select name,value,type from httptest_field where httptestid=1 order by httptest_fieldid] 13231:20190207:105321.882 In substitute_simple_macros() data:'Zabbix' 13231:20190207:105321.882 In substitute_simple_macros() data:'utd.pem' 13231:20190207:105321.882 In substitute_simple_macros() data:'utd.key' 13231:20190207:105321.882 In substitute_simple_macros() data:'(HIDEN PASSWORD)' 13231:20190207:105321.882 In http_process_variables() 0 variables 13231:20190207:105321.882 End of http_process_variables():SUCCEED 13231:20190207:105321.882 In process_httptest() httptestid:1 name:'[G][UTD]GET XXXXXXXX.as8677.net' 13231:20190207:105321.882 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=1 order by no] 13231:20190207:105321.883 In substitute_simple_macros() data:'1m' 13231:20190207:105321.883 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/utd.pem' 13231:20190207:105321.883 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/utd.key' 13231:20190207:105321.883 In substitute_simple_macros() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 13231:20190207:105321.883 In http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 13231:20190207:105321.884 End of http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage' 13231:20190207:105321.884 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=1 order by httpstep_fieldid] 13231:20190207:105321.884 In substitute_simple_macros() data:'15s' 13231:20190207:105321.884 In substitute_simple_macros() data:EMPTY 13231:20190207:105321.884 In substitute_simple_macros() data:'200' 13231:20190207:105321.884 process_httptest() use step "GET /itsp/watchservicePage" 13231:20190207:105321.884 process_httptest() use post "" 13231:20190207:105321.884 process_httptest() go to URL "https://XXXXXXXX.as8677.net/itsp/watchservicePage" 13231:20190207:105321.976 query without transaction detected 13231:20190207:105321.976 query [txnlev:0] [update httptest set nextcheck=1549533261 where httptestid=1] 13231:20190207:105321.983 cannot process step "GET /itsp/watchservicePage" of web scenario "[G][UTD]GET XXXXXXXX.as8677.net" on host "XXXXXXXX.as8677.net": SSL connect error: SSL peer was unable to negotiate an acceptable set of security parameters. 13231:20190207:105321.983 In process_test_data() 13231:20190207:105321.983 query [txnlev:0] [select type,itemid from httptestitem where httptestid=1] 13231:20190207:105321.983 In zbx_preprocess_item_value() 13231:20190207:105321.983 End of zbx_preprocess_item_value() 13231:20190207:105321.983 In zbx_preprocess_item_value() 13231:20190207:105321.984 End of zbx_preprocess_item_value() 13231:20190207:105321.984 In zbx_preprocess_item_value() 13231:20190207:105321.984 End of zbx_preprocess_item_value() 13231:20190207:105321.984 End of process_test_data() 13231:20190207:105321.984 In zbx_ipc_socket_write() 13231:20190207:105321.984 End of zbx_ipc_socket_write():SUCCEED 13231:20190207:105321.984 End of process_httptest() 13231:20190207:105321.984 End of process_httptests() and here, the curl command with same keys and certificates : root@zabbix-server ssl]# curl --cert ./certs/utd.pem:(HIDEN PASSWORD) https://XXXXXXXX.as8677.net/itsp/watchservicePage -vv --key ./keys/utd.key * About to connect() to XXXXXXXX.as8677.net port 443 (#0) * Trying XXXXXXXX... * Connected to XXXXXXXX.as8677.net (XXXXXXXX) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS: client certificate from file * subject: CN=XXXXXXXX.as8677.net,OU=TO,O=Worldline,L=SECLIN,C=FR * start date: juin 29 08:42:25 2018 GMT * expire date: juin 29 09:12:24 2020 GMT * common name: XXXXXXXX.as8677.net * issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=XXXXXXXX.as8677.net,OU=TO,O=Worldline,L=SECLIN,C=FR * start date: juin 29 08:42:25 2018 GMT * expire date: juin 29 09:12:24 2020 GMT * common name: fpl-fo-itsp.as8677.net * issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US > GET /itsp/watchservicePage HTTP/1.1 > User-Agent: curl/7.29.0 > Host: XXXXXXXX.as8677.net > Accept: */* > < HTTP/1.1 200 200 < Date: Thu, 07 Feb 2019 10:09:53 GMT < Server: Apache < Content-Language: en-US < Transfer-Encoding: chunked < Content-Type: text/html;charset=UTF-8 <
|
Comment by Arturs Lontons [ 2019 Feb 07 ] |
Thank you for providing the logs! |
Comment by CHRETIEN Landry [ 2019 Feb 07 ] |
Hello, Tested with IE, FF, Chromium and curl, very same result. Did curl (or libcurl) is called with some default arguments when used with webscenario ? Regards |
Comment by Arturs Lontons [ 2019 Feb 08 ] |
Could you please remove all the sensitive data and add a screenshot from the Host - Web Scenario - Authentication screen for the corresponding web scenario?
|
Comment by CHRETIEN Landry [ 2019 Feb 08 ] |
Hello Arturs, I just add 2 screenshots, this webscenario is very simple (just 1 step) on a client certificate protected location. If needed, the certificate is signed by Entrust L1K authority and the key size is 2048 bit encrypted with DES-EDE3-CBC. Available if you need any other informations. Regards, Landry. |
Comment by CHRETIEN Landry [ 2019 Feb 22 ] |
Hello, Any news ? Is there any other informations that I could provide to you in order to debug ? Thanks in advance. |
Comment by Arnaud Prenant [ 2019 Apr 11 ] |
Hi, No news about this topic ? |
Comment by Edgar Akhmetshin [ 2019 May 07 ] |
Hello, Please, show openssl output from the remote host: openssl s_client -state -debug -showcerts -verify 0 -connect XXXXXXXX.as8677.net:443 Could you also clarify web server used? SSL connect error: SSL peer was unable to negotiate an acceptable set of security parameters. Regards, |