Project

General

Profile

Actions

Bug #15720

open

Zabbix Proxy only allows selecting RSA certificates

Added by npr . 2 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Zabbix
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.7.x
Affected Plus Version:
Affected Architecture:
amd64

Description

Depending on currently unknown details, some certificates, while present on the pfSense host, are not selectable for the zabbix proxy (they won't show up in the select box).

Imagine I have two pfSense hosts (different locations, different customers). On one host, I can select the certificate in the dropdown, on the other, it is missing.

I've already imported the CA and the cert I want into the pfSense hosts in the exact same way. If I (via F12, manually) add the item with the correct 'code' (taken from /conf/config.xml) then submitting leaves the value empty in the form. The certificate does not change (and my zabbix server won't accept the proxy connection).

Upon submission, I found that the form normally generates a /usr/local/etc/zabbix6/zabbix_proxy.conf file which always points to /usr/local/etc/zabbix6/zabbix_proxy.key and /usr/local/zabbix6/zabbix_proxy.cert as its certificate files.
Manually copying PEM-encoded private and public keys into those files (or uploading them over FTP over SSH) with the unselectable certificate works perfectly fine.

There's some very strange bug in the UI here.

There's no indication why some of these certificates are missing from the dropdown. No logs, nothing, just silent failure to show what clearly exists in /conf/config.xml (I verified that the exact cert I want to configure for zabbix exists in there).

If I copy over the non-working cert and key from the non-working host to the working one, it still will not show up, silently, confirming it's really the certificate itself that pfSense's zabbix GUI (and only the GUI, not the program itself, it's a perfectly cromulent piece of data) refuses to allow me to use. It's not something to do with the actual descriptive name but with something inside the cert that differs (which is only the common name, which I should obviously be able to set to any valid web address).

I can't provide examples of a working and non-working cert. It won't be of any use as the information I'd have to alter to post it publicly would render it non-working anyway, nor can I share the private key, for obvious reasons, nor can I easily reproduce the problem by randomly generating more.

Actions #1

Updated by Jim Pingle 2 months ago

  • Subject changed from zabbix_proxy 6: Certain certificates cannot be selected. to Zabbix Proxy only allows selecting RSA certificates

The package code appears to limit selection to RSA certificate types only, so it wouldn't allow selecting ECDSA certificates. It's likely at the time that code was added they were not fully supported.

Actions #2

Updated by npr . 2 months ago

I found out the same thing; The following diff to /usr/local/pkg/zabbix-proxy.inc should fix things;


@@ -310,15 +310,7 @@
         $c_arr[] = array('refid' => 'none', 'descr' => 'none (auto)');
         if (isset($config[$type]) && is_array($config[$type])) {
                 foreach ($config[$type] as $c) {
-                        if (!empty($c['prv'])) {
-                                $res_key = openssl_pkey_get_private(base64_decode($c['prv']));
-                                $key_details = openssl_pkey_get_details($res_key);
-                                if ($key_details['type'] == OPENSSL_KEYTYPE_RSA) {
-                                        $c_arr[] = $c;
-                                }
-                        } elseif ($type == 'ca') {
-                                $c_arr[] = $c;
-                        }
+                        $c_arr[] = $c;
                 }
         }
         return $c_arr;

Actions

Also available in: Atom PDF