[ZBX-15597] Issue when trying to setup webscenario with certificate authentication and encrypted keys Created: 2019 Feb 05  Updated: 2019 Jul 22  Resolved: 2019 Jul 22

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Proxy (P), Server (S)
Affects Version/s: 4.0.3
Fix Version/s: None

Type: Incident report Priority: Trivial
Reporter: CHRETIEN Landry Assignee: Edgar Akhmetshin
Resolution: Cannot Reproduce Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Centos 7.6
openssl 1.0.2k-16
curl-7.29.0-51
libcurl-7.29.0-51

Attachments: PNG File Capture-1.PNG     PNG File Capture.PNG    

 Description   

When trying to setup a webscenario with certificate authentication, some issue appear if : 

The private is encrypted : The webscenario return : Problem with the local SSL certificate: Unable to load client key: Incorrect password

If we try a connexion via curl command, the result success : 

 

 

-bash-4.2$ curl --cert ./certs/utd.pem:XXXXXXXXXX https://mysite/myPage -vv --key ./keys/utd.uncrypt
 
* About to connect() to XXXXXXXXXX t port 443 (#0)
* Trying 160.xx.xx.xx.xx...
* Connected to XXXXXXXXXX  (160.xx.xx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS: client certificate from file
* subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR
* start date: Jun 29 08:42:25 2018 GMT
* expire date: Jun 29 09:12:24 2020 GMT
* common name: XXXXXXXXXX 
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=XXXXXXXXXX ,OU=TO,O=Worldline,L=SECLIN,C=FR
* start date: Jun 29 08:42:25 2018 GMT
* expire date: Jun 29 09:12:24 2020 GMT
* common name: XXXXXXXXXX 
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
> GET /itsp/MyPage HTTP/1.1
> User-Agent: curl/7.29.0
> Host: XXXXXXXXXX 
> Accept: */*
>
< HTTP/1.1 200 200
 

Key headers : 

----BEGIN RSA PRIVATE KEY----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5612B32DE29FD156

 

Trying to uncrypt the key via this command :

openssl rsa -in utd.key -out utd.uncrypt

will provide this error  Problem with the local SSL certificate: Unable to load client key -8178

a direct test via curl is success.

If another webscenario is running well with a certificate authentication but without encrypted key, it will provide error : Problem with the local SSL certificate: Unable to load client key: Incorrect password if the proxy or server is launching only one http pooler process. Launching serveral http pooler seems to correct the problem.

 

Concerning the server or proxy configuration, i have set following options : 

SSLCertLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/certs

SSLKeyLocation=/usr/lib/zabbix/zabbix-certificate-management/ssl/keys

Theses directories are owned by zabbix user and accessible under zabbix users.

 

Tested under 3.4.14 and 4.0.3 with same OS, openssl and curl/libcurl packages

All tests has been made without http proxy between servers and ressources

 Comments   
Comment by Arturs Lontons [ 2019 Feb 06 ]

Hi,

Please increase the http_poller log level to 5, perform the web scenario check and provide the zabbix_server.log with the corresponding entries.

You can increase the log level either by running the command

zabbix_server -R log_level_increase="http poller"

Or by increasing the debug level in the zabbix-server.conf file and restarting the server:

DebugLevel=5
Comment by CHRETIEN Landry [ 2019 Feb 06 ]

1st webscenario that need the password to uncrypt the key :

11719:20190206:131626.301 query [txnlev:0] [select name,value,type from httptest_field where httptestid=1 order by httptest_fieldid]
 11719:20190206:131626.301 In substitute_simple_macros() data:'Zabbix'
 11719:20190206:131626.301 In substitute_simple_macros() data:'utd.pem'
 11719:20190206:131626.302 In substitute_simple_macros() data:'utd.key'
 11719:20190206:131626.302 In substitute_simple_macros() data:'(HIDEN PASSWORD)'
 11719:20190206:131626.302 In http_process_variables() 0 variables
 11719:20190206:131626.302 End of http_process_variables():SUCCEED
 11719:20190206:131626.302 In process_httptest() httptestid:1 name:'[G][UTD]GET XXXXXXXX.as8677.net'
 11719:20190206:131626.302 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=1 order by no]
 11719:20190206:131626.303 In substitute_simple_macros() data:'1m'
 11719:20190206:131626.303 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/utd.pem'
 11719:20190206:131626.303 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/utd.key'
 11719:20190206:131626.303 In substitute_simple_macros() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 11719:20190206:131626.303 In http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 11719:20190206:131626.303 End of http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 11719:20190206:131626.303 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=1 order by httpstep_fieldid]
 11719:20190206:131626.304 In substitute_simple_macros() data:'15s'
 11719:20190206:131626.304 In substitute_simple_macros() data:EMPTY
 11719:20190206:131626.304 In substitute_simple_macros() data:'200'
 11719:20190206:131626.304 process_httptest() use step "GET /itsp/watchservicePage"
 11719:20190206:131626.304 process_httptest() use post ""
 11719:20190206:131626.304 process_httptest() go to URL "https://XXXXXXXX.as8677.net/itsp/watchservicePage"
 11719:20190206:131627.352 query without transaction detected
 11719:20190206:131627.352 query [txnlev:0] [update httptest set nextcheck=1549455447 where httptestid=1]
 11719:20190206:131627.365 cannot process step "GET /itsp/watchservicePage" of web scenario "[G][UTD]GET XXXXXXXX.as8677.net" on host "XXXXXXXX.as8677.net": Problem with the local SSL certificate: Unable to load client key: Incorrect password
 11719:20190206:131627.365 In process_test_data()
 11719:20190206:131627.365 query [txnlev:0] [select type,itemid from httptestitem where httptestid=1]
 11719:20190206:131627.366 In zbx_preprocess_item_value()
 11719:20190206:131627.366 End of zbx_preprocess_item_value()
 11719:20190206:131627.366 In zbx_preprocess_item_value()
 11719:20190206:131627.366 End of zbx_preprocess_item_value()
 11719:20190206:131627.366 In zbx_preprocess_item_value()
 11719:20190206:131627.367 End of zbx_preprocess_item_value()
 11719:20190206:131627.367 End of process_test_data()
 11719:20190206:131627.367 In zbx_ipc_socket_write()
 11719:20190206:131627.367 End of zbx_ipc_socket_write():SUCCEED
 11719:20190206:131627.367 End of process_httptest()

 

2nd webscenario that doesn't need any password :

 

Note that this webscenario was perfectly working when the 1st one is disabled or if i set the password filed empty and server configured with only 1 http poller.

11719:20190206:131627.367 query [txnlev:0] [select name,value,type from httptest_field where httptestid=3 order by httptest_fieldid]
 11719:20190206:131627.368 In substitute_simple_macros() data:'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
 11719:20190206:131627.368 In substitute_simple_macros() data:'pspgtwPRDClientCertif.pem'
 11719:20190206:131627.368 In substitute_simple_macros() data:'pspgtwPRDClientCertif.key'
 11719:20190206:131627.368 In substitute_simple_macros() data:EMPTY
 11719:20190206:131627.368 In http_process_variables() 0 variables
 11719:20190206:131627.368 End of http_process_variables():SUCCEED
 11719:20190206:131627.368 In process_httptest() httptestid:3 name:'psp-gateway-authorisationws-ws'
 11719:20190206:131627.368 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=3 order by no]
 11719:20190206:131627.370 In substitute_simple_macros() data:'1m'
 11719:20190206:131627.370 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/pspgtwPRDClientCertif.pem'
 11719:20190206:131627.370 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/pspgtwPRDClientCertif.key'
 11719:20190206:131627.370 In substitute_simple_macros() data:'https://{HOST.DNS}/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:131627.370 End substitute_simple_macros() data:'https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:131627.371 In http_substitute_variables() data:'https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:131627.371 End of http_substitute_variables() data:'https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:131627.371 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=3 order by httpstep_fieldid]
 11719:20190206:131627.373 In substitute_simple_macros() data:'15s'
 11719:20190206:131627.373 In substitute_simple_macros() data:EMPTY
 11719:20190206:131627.373 In substitute_simple_macros() data:EMPTY
 11719:20190206:131627.373 process_httptest() use step "surveillanceAW"
 11719:20190206:131627.373 process_httptest() use post ""
 11719:20190206:131627.374 process_httptest() go to URL "https://XXXXXXXX.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp"
 11719:20190206:131627.433 query without transaction detected
 11719:20190206:131627.434 query [txnlev:0] [update httptest set nextcheck=1549455447 where httptestid=3]
 11719:20190206:131627.442 cannot process step "surveillanceAW" of web scenario "psp-gateway-authorisationws-ws" on host "XXXXXXXX.worldline.com": Problem with the local SSL certificate: Unable to load client key: Incorrect password

Log showing a success a the 2nd webscenario when the 1st is disabled : 

 

11719:20190206:130825.117 query [txnlev:0] [select name,value,type from httptest_field where httptestid=3 order by httptest_fieldid]
 11719:20190206:130825.117 In substitute_simple_macros() data:'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
 11719:20190206:130825.117 In substitute_simple_macros() data:'pspgtwPRDClientCertif.pem'
 11719:20190206:130825.117 In substitute_simple_macros() data:'pspgtwPRDClientCertif.key'
 11719:20190206:130825.117 In substitute_simple_macros() data:EMPTY
 11719:20190206:130825.117 In http_process_variables() 0 variables
 11719:20190206:130825.117 End of http_process_variables():SUCCEED
 11719:20190206:130825.117 In process_httptest() httptestid:3 name:'psp-gateway-authorisationws-ws'
 11719:20190206:130825.117 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=3 order by no]
 11719:20190206:130825.118 In substitute_simple_macros() data:'1m'
 11719:20190206:130825.118 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/pspgtwPRDClientCertif.pem'
 11719:20190206:130825.118 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/pspgtwPRDClientCertif.key'
 11719:20190206:130825.118 In substitute_simple_macros() data:'https://{HOST.DNS}/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:130825.118 End substitute_simple_macros() data:'https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:130825.118 In http_substitute_variables() data:'https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:130825.118 End of http_substitute_variables() data:'https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 11719:20190206:130825.118 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=3 order by httpstep_fieldid]
 11719:20190206:130825.118 In substitute_simple_macros() data:'15s'
 11719:20190206:130825.118 In substitute_simple_macros() data:EMPTY
 11719:20190206:130825.118 In substitute_simple_macros() data:EMPTY
 11719:20190206:130825.118 process_httptest() use step "surveillanceAW"
 11719:20190206:130825.118 process_httptest() use post ""
 11719:20190206:130825.118 process_httptest() go to URL "https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp"
 11719:20190206:130825.351 process_httptest() page.data from https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp:'

06/02/19 13:08 : _surveillanceOK_'
 11719:20190206:130825.351 In http_process_variables() 0 variables
 11719:20190206:130825.351 End of http_process_variables():SUCCEED
 11719:20190206:130825.351 In http_process_variables() 0 variables
 11719:20190206:130825.351 End of http_process_variables():SUCCEED
 11719:20190206:130825.352 In process_step_data() rspcode:200 time:0.232812 speed:167.000000

 

Sorry, i had to hide some sensible datas in present logs

 

Comment by CHRETIEN Landry [ 2019 Feb 06 ]

Following logs are if more than one http poller is definied and for the same webscenario : (SSL error seems different)

 

13040:20190206:133345.097 query [txnlev:0] [select name,value,type from httptest_field where httptestid=1 order by httptest_fieldid]
 13040:20190206:133345.098 In substitute_simple_macros() data:'Zabbix'
 13040:20190206:133345.098 In substitute_simple_macros() data:'utd.pem'
 13040:20190206:133345.098 In substitute_simple_macros() data:'utd.key'
 13040:20190206:133345.099 In substitute_simple_macros() data:'(HIDEN PASSWORD)'
 13040:20190206:133345.099 In http_process_variables() 0 variables
 13040:20190206:133345.099 End of http_process_variables():SUCCEED
 13040:20190206:133345.099 In process_httptest() httptestid:1 name:'[G][UTD]GET XXXXXXXX.as8677.net'
 13040:20190206:133345.099 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=1 order by no]
 13040:20190206:133345.100 In substitute_simple_macros() data:'1m'
 13040:20190206:133345.100 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/utd.pem'
 13040:20190206:133345.100 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/utd.key'
 13040:20190206:133345.100 In substitute_simple_macros() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 13040:20190206:133345.100 In http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 13040:20190206:133345.100 End of http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 13040:20190206:133345.100 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=1 order by httpstep_fieldid]
 13040:20190206:133345.101 In substitute_simple_macros() data:'15s'
 13040:20190206:133345.101 In substitute_simple_macros() data:EMPTY
 13040:20190206:133345.101 In substitute_simple_macros() data:'200'
 13040:20190206:133345.101 process_httptest() use step "GET /itsp/watchservicePage"
 13040:20190206:133345.101 process_httptest() use post ""
 13040:20190206:133345.101 process_httptest() go to URL "https://XXXXXXXX.as8677.net/itsp/watchservicePage"
 13040:20190206:133345.262 query without transaction detected
 13040:20190206:133345.262 query [txnlev:0] [update httptest set nextcheck=1549456485 where httptestid=1]
 13040:20190206:133345.268 cannot process step "GET /itsp/watchservicePage" of web scenario "[G][UTD]GET XXXXXXXX" on host "XXXXXXXX.as8677.net": SSL connect error: SSL peer was unable to negotiate an acceptable set of security parameters.
 13040:20190206:133345.268 In process_test_data()
 13040:20190206:133345.268 query [txnlev:0] [select type,itemid from httptestitem where httptestid=1]
 13040:20190206:133345.269 In zbx_preprocess_item_value()
 13040:20190206:133345.269 End of zbx_preprocess_item_value()
 13040:20190206:133345.269 In zbx_preprocess_item_value()
 13040:20190206:133345.269 End of zbx_preprocess_item_value()
 13040:20190206:133345.269 In zbx_preprocess_item_value()
 13040:20190206:133345.270 End of zbx_preprocess_item_value()
 13040:20190206:133345.270 End of process_test_data()
 13040:20190206:133345.270 In zbx_ipc_socket_write()
 13040:20190206:133345.270 End of zbx_ipc_socket_write():SUCCEED
 13040:20190206:133345.270 End of process_httptest()
 13040:20190206:133345.270 End of process_httptests()
 13040:20190206:133345.270 query [txnlev:0] [select min(t.nextcheck) from httptest t,hosts h where t.hostid=h.hostid and mod(t.httptestid,2)=1 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]
 13040:20190206:133345.271 __zbx_zbx_setproctitle() title:'http poller #2 [got 1 values in 0.174298 sec, idle 1 sec]'
 13039:20190206:133345.587 __zbx_zbx_setproctitle() title:'http poller #1 [got 0 values in 0.001603 sec, getting values]'
 13039:20190206:133345.587 In process_httptests()
 13039:20190206:133345.587 query [txnlev:0] [select h.hostid,h.host,h.name,t.httptestid,t.name,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host,t.delay from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1549456425 and mod(t.httptestid,2)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]
 13039:20190206:133345.589 End of process_httptests()


THIS SCENARIO IS WORKING AGAIN 
-------------------------------
13039:20190206:133345.589 query [txnlev:0] [select min(t.nextcheck) from httptest t,hosts h where t.hostid=h.hostid and mod(t.httptestid,2)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]
 13039:20190206:133345.590 No httptests to process in get_minnextcheck.
 13039:20190206:133345.590 __zbx_zbx_setproctitle() title:'http poller #1 [got 0 values in 0.001723 sec, idle 5 sec]'
 13040:20190206:133346.274 __zbx_zbx_setproctitle() title:'http poller #2 [got 1 values in 0.174298 sec, getting values]'
 13040:20190206:133346.274 In process_httptests()
 13040:20190206:133346.274 query [txnlev:0] [select h.hostid,h.host,h.name,t.httptestid,t.name,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host,t.delay from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1549456426 and mod(t.httptestid,2)=1 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]
 13040:20190206:133346.275 query [txnlev:0] [select name,value,type from httptest_field where httptestid=3 order by httptest_fieldid]
 13040:20190206:133346.276 In substitute_simple_macros() data:'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
 13040:20190206:133346.276 In substitute_simple_macros() data:'pspgtwPRDClientCertif.pem'
 13040:20190206:133346.276 In substitute_simple_macros() data:'pspgtwPRDClientCertif.key'
 13040:20190206:133346.276 In substitute_simple_macros() data:EMPTY
 13040:20190206:133346.276 In http_process_variables() 0 variables
 13040:20190206:133346.277 End of http_process_variables():SUCCEED
 13040:20190206:133346.277 In process_httptest() httptestid:3 name:'psp-gateway-authorisationws-ws'
 13040:20190206:133346.277 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=3 order by no]
 13040:20190206:133346.277 In substitute_simple_macros() data:'1m'
 13040:20190206:133346.278 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/pspgtwPRDClientCertif.pem'
 13040:20190206:133346.278 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/pspgtwPRDClientCertif.key'
 13040:20190206:133346.278 In substitute_simple_macros() data:'https://{HOST.DNS}/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 13040:20190206:133346.278 End substitute_simple_macros() data:'https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 13040:20190206:133346.278 In http_substitute_variables() data:'https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 13040:20190206:133346.278 End of http_substitute_variables() data:'https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp'
 13040:20190206:133346.278 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=3 order by httpstep_fieldid]
 13040:20190206:133346.279 In substitute_simple_macros() data:'15s'
 13040:20190206:133346.279 In substitute_simple_macros() data:EMPTY
 13040:20190206:133346.279 In substitute_simple_macros() data:EMPTY
 13040:20190206:133346.279 process_httptest() use step "surveillanceAW"
 13040:20190206:133346.280 process_httptest() use post ""
 13040:20190206:133346.280 process_httptest() go to URL "https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp"
 13040:20190206:133346.501 process_httptest() page.data from https://
XXXXXXXX
.worldline.com/psp-gateway-authorisationws-ws/surveillanceAWL/watch_global_authorisation.jsp:'

06/02/19 13:33 : _surveillanceOK_'
 13040:20190206:133346.501 In http_process_variables() 0 variables
 13040:20190206:133346.501 End of http_process_variables():SUCCEED
 13040:20190206:133346.501 In http_process_variables() 0 variables
 13040:20190206:133346.501 End of http_process_variables():SUCCEED
 13040:20190206:133346.502 In process_step_data() rspcode:200 time:0.220936 speed:176.000000

 

Tested under 3.4.14 (with zabbix-proxy ) and 4.0.3 (standalone server on vmware)

Comment by Arturs Lontons [ 2019 Feb 07 ]

Hi,
It looks like you're using Debug level 4. Please execute the following command twice to raise the debug level to 5:

zabbix_server -R log_level_increase="http poller"

And please provide logs only for the web scenario which is failing.

 

Comment by CHRETIEN Landry [ 2019 Feb 07 ]

Hello,

please find the log here :

13231:20190207:105321.880 query [txnlev:0] [select h.hostid,h.host,h.name,t.httptestid,t.name,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host,t.delay from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1549533201 and mod(t.httptestid,1)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]
 13231:20190207:105321.881 query [txnlev:0] [select name,value,type from httptest_field where httptestid=1 order by httptest_fieldid]
 13231:20190207:105321.882 In substitute_simple_macros() data:'Zabbix'
 13231:20190207:105321.882 In substitute_simple_macros() data:'utd.pem'
 13231:20190207:105321.882 In substitute_simple_macros() data:'utd.key'
 13231:20190207:105321.882 In substitute_simple_macros() data:'(HIDEN PASSWORD)'
 13231:20190207:105321.882 In http_process_variables() 0 variables
 13231:20190207:105321.882 End of http_process_variables():SUCCEED
 13231:20190207:105321.882 In process_httptest() httptestid:1 name:'[G][UTD]GET XXXXXXXX.as8677.net'
 13231:20190207:105321.882 query [txnlev:0] [select httpstepid,no,name,url,timeout,posts,required,status_codes,post_type,follow_redirects,retrieve_mode from httpstep where httptestid=1 order by no]
 13231:20190207:105321.883 In substitute_simple_macros() data:'1m'
 13231:20190207:105321.883 using SSL certificate file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/certs/utd.pem'
 13231:20190207:105321.883 using SSL private key file: '/usr/lib/zabbix/zabbix-certificate-management/ssl/keys/utd.key'
 13231:20190207:105321.883 In substitute_simple_macros() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 13231:20190207:105321.883 In http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 13231:20190207:105321.884 End of http_substitute_variables() data:'https://XXXXXXXX.as8677.net/itsp/watchservicePage'
 13231:20190207:105321.884 query [txnlev:0] [select name,value,type from httpstep_field where httpstepid=1 order by httpstep_fieldid]
 13231:20190207:105321.884 In substitute_simple_macros() data:'15s'
 13231:20190207:105321.884 In substitute_simple_macros() data:EMPTY
 13231:20190207:105321.884 In substitute_simple_macros() data:'200'
 13231:20190207:105321.884 process_httptest() use step "GET /itsp/watchservicePage"
 13231:20190207:105321.884 process_httptest() use post ""
 13231:20190207:105321.884 process_httptest() go to URL "https://XXXXXXXX.as8677.net/itsp/watchservicePage"
 13231:20190207:105321.976 query without transaction detected
 13231:20190207:105321.976 query [txnlev:0] [update httptest set nextcheck=1549533261 where httptestid=1]
 13231:20190207:105321.983 cannot process step "GET /itsp/watchservicePage" of web scenario "[G][UTD]GET XXXXXXXX.as8677.net" on host "XXXXXXXX.as8677.net": SSL connect error: SSL peer was unable to negotiate an acceptable set of security parameters.
 13231:20190207:105321.983 In process_test_data()
 13231:20190207:105321.983 query [txnlev:0] [select type,itemid from httptestitem where httptestid=1]
 13231:20190207:105321.983 In zbx_preprocess_item_value()
 13231:20190207:105321.983 End of zbx_preprocess_item_value()
 13231:20190207:105321.983 In zbx_preprocess_item_value()
 13231:20190207:105321.984 End of zbx_preprocess_item_value()
 13231:20190207:105321.984 In zbx_preprocess_item_value()
 13231:20190207:105321.984 End of zbx_preprocess_item_value()
 13231:20190207:105321.984 End of process_test_data()
 13231:20190207:105321.984 In zbx_ipc_socket_write()
 13231:20190207:105321.984 End of zbx_ipc_socket_write():SUCCEED
 13231:20190207:105321.984 End of process_httptest()
 13231:20190207:105321.984 End of process_httptests()

and here, the curl command with same keys and certificates :

root@zabbix-server ssl]# curl --cert ./certs/utd.pem:(HIDEN PASSWORD) https://XXXXXXXX.as8677.net/itsp/watchservicePage -vv --key ./keys/utd.key
* About to connect() to XXXXXXXX.as8677.net port 443 (#0)
* Trying XXXXXXXX...
* Connected to XXXXXXXX.as8677.net (XXXXXXXX) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS: client certificate from file
* subject: CN=XXXXXXXX.as8677.net,OU=TO,O=Worldline,L=SECLIN,C=FR
* start date: juin 29 08:42:25 2018 GMT
* expire date: juin 29 09:12:24 2020 GMT
* common name: XXXXXXXX.as8677.net
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=XXXXXXXX.as8677.net,OU=TO,O=Worldline,L=SECLIN,C=FR
* start date: juin 29 08:42:25 2018 GMT
* expire date: juin 29 09:12:24 2020 GMT
* common name: fpl-fo-itsp.as8677.net
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
> GET /itsp/watchservicePage HTTP/1.1
> User-Agent: curl/7.29.0
> Host: XXXXXXXX.as8677.net
> Accept: */*
>
< HTTP/1.1 200 200
< Date: Thu, 07 Feb 2019 10:09:53 GMT
< Server: Apache
< Content-Language: en-US
< Transfer-Encoding: chunked
< Content-Type: text/html;charset=UTF-8
<

 

 

Comment by Arturs Lontons [ 2019 Feb 07 ]

Thank you for providing the logs!
Could you please try using different types of web scenario agents and see if the issue still persists?

Comment by CHRETIEN Landry [ 2019 Feb 07 ]

Hello,

Tested with IE, FF, Chromium and curl, very same result.

Did curl (or libcurl)  is called with some default arguments when used with webscenario ?

Regards

Comment by Arturs Lontons [ 2019 Feb 08 ]

Could you please remove all the sensitive data and add a screenshot from the Host - Web Scenario - Authentication screen for the corresponding web scenario?
Also, a screenshot from the Host - Web Scenario - Steps - Step which fails would also be helpful.

 

Comment by CHRETIEN Landry [ 2019 Feb 08 ]

Hello Arturs,

I just add 2 screenshots, this webscenario is very simple (just 1 step) on a client certificate protected location.

If needed, the certificate is signed by Entrust L1K authority and the key size is 2048 bit encrypted with DES-EDE3-CBC.

Available if you need any other informations.

Regards,

Landry.

Comment by CHRETIEN Landry [ 2019 Feb 22 ]

Hello,

Any news ? Is there any other informations that I could provide to you in order to debug ? 

Thanks in advance.

Comment by Arnaud Prenant [ 2019 Apr 11 ]

Hi,

No news about this topic ?

Comment by Edgar Akhmetshin [ 2019 May 07 ]

Hello,

Please, show openssl output from the remote host:

openssl s_client -state -debug -showcerts -verify 0 -connect XXXXXXXX.as8677.net:443

Could you also clarify web server used?

SSL connect error: SSL peer was unable to negotiate an acceptable set of security parameters.

Regards,
Edgar

Generated at Thu Apr 25 02:52:17 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.