[ZBX-17187] Active Checks not working with PSK Created: 2020 Jan 16  Updated: 2020 Jul 02  Resolved: 2020 Jul 02

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G), Proxy (P), Server (S)
Affects Version/s: 4.2.8, 4.4.4
Fix Version/s: None

Type: Incident report Priority: Trivial
Reporter: Matthias Kaersten Assignee: Kristians Pavars
Resolution: Cannot Reproduce Votes: 0
Labels: agent, encryption, proxy, psk, server
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Host-settings -PSK.PNG     PNG File Host-settings.PNG     PNG File image-2020-01-26-23-27-18-163.png     Text File os-release.txt     Text File psk-encrption-zabbix-bugreport.txt     PNG File trap item.PNG     Zip Archive zabbix-appliance-cert.zip    

 Description   

Steps to reproduce:

  1. install Zabbix Server from Docker zabbix/zabbix-server-mysql:ubuntu-4.4-latest
  2. configure Host in Zabbix with trapper and hostname item, encryption psk
  3. install zabbix agent and configure psk
  4. use zabbix_sender to send values to zabbix server (trapper item)

Result:

PSK Encryption active:
zabbix server gets data for agent.hostname (Zabbix passive)
zabbix_sender can not send Data (see atachement)

Encryption deactivated:
zabbix server gets data for agent.hostname (Zabbix passive)
zabbix_sender can send data to trapper item

 

Setup:

Zabbix Server 4.4.4: installed as Docker container on rancheros

Zabbix Agent 4.4.4 and 4.2.8: Installed on Ubuntu 18.04

 

Expected:
Send Data with zabbix_sender and use Active Checks over PSK

 Comments   
Comment by Aigars Kadikis [ 2020 Jan 17 ]

Thank you for registering this thread and using the latest stable version.

I'm already facing the same behaviour as you described. By using '-c /etc/zabbix/zabbix_agentd.conf' as an argument it does not work well. It seems like a bug.

 

Just to scope the depth of the problem can you please also try without zabbix_agentd.conf file by writing all attributes individually:

zabbix_sender -z 127.0.0.1 -s trap -k ein.test -o 43 --tls-psk-file /etc/zabbix/zabbix_agentd.psk --tls-connect psk --tls-psk-identity PSK-123 -vv

And attach the OS details where it does not work with  '-c /etc/zabbix/zabbix_agentd.conf':

cat /etc/*release*
Comment by Matthias Kaersten [ 2020 Jan 17 ]

/etc/os-release in atachement.
VERSION="18.04.3 LTS (Bionic Beaver)"

zabbix_sender -z <SERVER-IP> -s trap -k ein.test -o 43 --tls-psk-file /etc/zabbix/zabbix_agentd.psk --tls-connect psk --tls-psk-identity PSK-123 -vv

zabbix_sender [3091]: DEBUG: In zbx_tls_init_child()
zabbix_sender [3091]: DEBUG: OpenSSL library (version OpenSSL 1.1.1  11 Sep 2018) initialized
zabbix_sender [3091]: DEBUG: zbx_tls_init_child() loaded PSK identity "PSK-123"
zabbix_sender [3091]: DEBUG: zbx_tls_init_child() loaded PSK from file "/etc/zabbix/zabbix_agentd.psk"
zabbix_sender [3091]: DEBUG: zbx_tls_init_child() PSK ciphersuites: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 ECDHE-PSK-AES128-CBC-SHA256 ECDHE-PSK-AES128-CBC-SHA PSK-AES128-GCM-SHA256 PSK-AES128-CCM8 PSK-AES128-CCM PSK-AES128-CBC-SHA256 PSK-AES128-CBC-SHA
zabbix_sender [3091]: DEBUG: End of zbx_tls_init_child()
zabbix_sender [3092]: DEBUG: In zbx_tls_connect(): psk_identity:"PSK-123"
zabbix_sender [3092]: DEBUG: zbx_psk_client_cb() requested PSK identity "PSK-123"
zabbix_sender [3092]: DEBUG: End of zbx_tls_connect():SUCCEED (established TLSv1.3 TLS_AES_256_GCM_SHA384)
zabbix_sender [3092]: Warning: SSL_shutdown() with <SERVER-IP> set result code to 1: file ../ssl/ssl_lib.c line 2072: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
zabbix_sender [3092]: DEBUG: send value error: TLS read set result code to 1: file ../ssl/record/rec_layer_s3.c line 1528: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required: SSL alert number 116: TLS read fatal alert "unknown"
Sending failed.
Comment by Aigars Kadikis [ 2020 Jan 20 ]

Hello Matthias,

Apparently I cannot reproduce the issue on Ubuntu 18.04.3 LTS running everything locally (not from containers).

Previously I also did have a misconfiguration issue. Please double-make sure:

  • Trap item exists on the host
  • Reload the configuration cache (zabbix_server -R config_cache_reload) of Zabbix server before sending trap
  • The item which is created really is "Zabbix trapper", not "SNMP trap" or accidentally "Zabbix agent"
  • The trap is delivered to "Host name" and NOT the "Visible name"

If the problem still exists, please attach:

  • screenshot of "Items" page containing trap item
  • screenshot of host configuration page
  • screenshot of "Encryption" tab from host
  • /etc/zabbix/zabbix_agentd.psk file, the original one.

 

Comment by Matthias Kaersten [ 2020 Jan 27 ]

Hello,

 

I recreated this issue using the zabbix appliance Docker image and zabbix_agent 4.4 on Ubuntu 18.04.

As soon as i add the following configuration to the Zabbix Server zabbix_sender start to fail when using PSK while passive Items continue working.
    -e ZBX_TLSCAFILE=ca.crt \
    -e ZBX_TLSCERTFILE=server.crt \
    -e ZBX_TLSKEYFILE=server.key \
 

  • screenshot of "Items" page containing trap item
  • screenshot of host configuration page
  • screenshot of "Encryption" tab from host
  • /etc/zabbix/zabbix_agentd.psk file, the original one.
    • i atteched an zip containing my Dockerfile with a build.sh and run.sh some certificates the exported host, zabbix_agentd.conf and zabbix_agentd.psk zabbix-appliance-cert.zip
       
Comment by Kristians Pavars [ 2020 Jun 16 ]

Hi mt-mk

 

Sorry for the long delay,

In the Docker commands you are specifying Certificate, but in the frontend you are using PSK, please make sure that both of them are configured to use the same encryption method.

 

Regards,
Kristiāns

Generated at Mon Apr 14 03:35:04 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.