PgSQL plugin is not able to start TLS encryption for official template (ZBX-22060)

[ZBX-23217] Faulty TLSConnect parameter functionality in PostgreSQL plugin Created: 2023 Aug 07  Updated: 2023 Oct 27  Resolved: 2023 Sep 01

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent2 plugin (G)
Affects Version/s: 6.0.20, 6.4.5, 7.0.0alpha3
Fix Version/s: 6.0.22rc1, 6.4.7rc1, 7.0.0alpha5, 7.0 (plan)

Type: Sub-task Priority: Major
Reporter: Denis Rasikhov Assignee: Eriks Sneiders
Resolution: Fixed Votes: 0
Labels: plugin, postgresql
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-08-07-13-28-54-574.png    
Team: Team INT
Sprint: Sprint 103 (Aug 2023)
Story Points: 4

 Description   

During the work on the parent issue the incorrect behaviour of TLSConnect parameters with verify_ca and verify_full values was noticed in the PostgreSQL plugin. It differs from the parameters providing the same functionality that are used by the psql command line client. Current behaviour doesn't allow you to check the server certificate without having to provide client certificate and key.

For example:
1. Set up server-side encryption with the server certificate signed by CA according to the PostgreSQL documentation (https://www.postgresql.org/docs/current/ssl-tcp.html). Or you could create self-signed certificate and also use it as the CA certificate in the following steps.
2. Set up monitoring according to the template documentation (see the updated README.md of "PostgreSQL by Zabbix agent 2" template in the parent task). Usage of TLS will require the addition of named session, so you could add the following parameters in the existing configuration file or create a new one (session name is myconn):

# Set up connection URI, replace <instanceip> with the IP or hostname of the monitored  instance
Plugins.PostgreSQL.Sessions.myconn.Uri=tcp://<instanceip>:5432

# Set up encryption mode to "verify_ca" (or "verify_full" if you also want to check the host name)
Plugins.PostgreSQL.Sessions.myconn.TLSConnect=verify_ca
#Plugins.PostgreSQL.Sessions.myconn.TLSConnect=verify_full

# Set up the path to the CA certificate which was used to sign the server certificate (copy it to the host on which Zabbix agent is installed beforehand):
Plugins.PostgreSQL.Sessions.myconn.TLSCAFile=/var/lib/zabbix/.postgresql/root.crt

3. Specify the session name in the {$PG.CONNSTRING} macro and password in {$PG.PASSWORD} macro.

4. Test any Zabbix agent item, for example "PostgreSQL: Get connections sum".

Result:
An error will be shown, saying that we did not specify the client certificate (and hence client key).

 Expected:
Connection should be successful and data should be retreived. Client certificates are in fact optional and used for authentication purposes in case if we want to check the client's identity.

Consult the PostgreSQL documentation about encryption modes and options in libpq and certificates usage:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION

 Comments   
Comment by Eriks Sneiders [ 2023 Aug 31 ]

Fixed in 

Comment by Martins Valkovskis [ 2023 Oct 27 ]

Updated documentation:

Generated at Tue Apr 01 06:13:10 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.