生成PSK string
openssl rand -hex 32 > ssl/zabbix_agentd.psk
chown zabbix:zabbix ssl/zabbix_agentd.psk
配置agentd
TLSConnect=psk
TLSAccept=psk
TLSPSKFile=/etc/zabbix/ssl/zabbix_agentd.psk
TLSPSKIdentity=zab_psk_agent #PSK identity
配置web
zabbix_get用法:
zabbix_get -s 192.168.31.129 -p 32050 -k"system.cpu.load[all,avg1]" --tls-connect=psk --tls-psk-identity="zab_psk_agent" --tls-psk-file=/etc/zabbix/ssl/zabbix_agentd.psk
证书需要用同一个CA签署的,过程参考:https://www.cnblogs.com/wshenjin/p/12519455.html
配置agentd
TLSConnect=cert
TLSAccept=cert
TLSCAFile=/etc/zabbix/ssl/cacert.pem
TLSCertFile=/etc/zabbix/ssl/zabbix_agentd.crt
TLSKeyFile=/etc/zabbix/ssl/zabbix_agentd.key
配置server
TLSCAFile=/etc/zabbix/ssl/cacert.pem
TLSCertFile=/etc/zabbix/ssl/zabbix_server.crt
TLSKeyFile=/etc/zabbix/ssl/zabbix_server.key
配置web
逆序查看证书中的subject等信息:
# openssl x509 -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname -in zabbix_agentd.crt
issuer= emailAddress=root@imca.com,CN=imca.com,OU=ca,O=Im CA,L=GuangZhou,ST=GuangDong,C=CN
subject= emailAddress=root@zabbix.com,CN=zabbix agentd,OU=zabbix agentd,O=linux company,ST=GuangDong,C=CN
# openssl x509 -noout -issuer -subject -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname -in zabbix_server.crt
issuer= emailAddress=root@imca.com,CN=imca.com,OU=ca,O=Im CA,L=GuangZhou,ST=GuangDong,C=CN
subject= emailAddress=root@zabbix.com,CN=zabbix server,OU=zabbix server,O=linux company,ST=GuangDong,C=CN
https://www.zabbix.com/documentation/3.4/zh/manual/encryption/using_certificates
https://blog.csdn.net/clm_sky/article/details/90574779
原文:https://www.cnblogs.com/wshenjin/p/12884622.html