Connection between Zabbix frontend and PostgreSQL cannot be encrypted (parameters in GUI are disabled), if the value of Database host field begins with a slash or the field is empty.

    Since Zabbix 5.0.5 TLS encryption parameter names in the frontend have changed slightly: for better clarity the “Database” prefix has been added. In versions 5.0.0-5.0.4 parameters are named TLS encryption, TLS certificate file, etc.

    Install the PostgreSQL database using the .

    PostgreSQL is not configured to accept TLS connections out-of-the-box. Please follow instructions from PostgreSQL documentation for certificate preparation with postgresql.conf and also for through ph_hba.conf.

    By default, the PostgreSQL socket is binded to the localhost, for the network remote connections allow to listen on the real network interface.

    PostgreSQL settings for all modes can look like this:

    /var/lib/pgsql/13/data/postgresql.conf:

    For access control adjust /var/lib/pgsql/13/data/pg_hba.conf:

    2. ### require
    3. hostssl all all 0.0.0.0/0 md5
    5. hostssl all all 0.0.0.0/0 md5 clientcert=verify-ca
    7. ### verify full
    9. ...

    Frontend

    • Check Database TLS encryption

    • Leave Verify database certificate unchecked

    Server

    To enable transport-only encryption for connections between server and the database, configure /etc/zabbix/zabbix_server.conf:

    Frontend

    To enable encryption with certificate authority verification for connections between Zabbix frontend and the database:

    • Check Database TLS encryption and Verify database certificate

    • Specify path to Database TLS key file

    • Specify path to Database TLS CA file

    • Specify path to Database TLS certificate file

    1. ...
    2. $DB['ENCRYPTION'] = true;
    3. $DB['KEY_FILE'] = '';
    4. $DB['CERT_FILE'] = '';
    5. $DB['VERIFY_HOST'] = false;
    7. ...

    Server

    To enable encryption with certificate verification for connections between Zabbix server and the database, configure /etc/zabbix/zabbix_server.conf:

    Frontend

    To enable encryption with certificate and database host identity verification for connections between Zabbix frontend and the database:

    • Check Database TLS encryption and Verify database certificate

    • Specify path to Database TLS key file

    • Specify path to Database TLS CA file

    • Specify path to Database TLS certificate file

    • Check Database host verification

    Alternatively, this can be set in /etc/zabbix/web/zabbix.conf.php:

    1. $DB['ENCRYPTION'] = true;
    2. $DB['KEY_FILE'] = '';
    3. $DB['CERT_FILE'] = '';
    4. $DB['CA_FILE'] = '/etc/ssl/pgsql/root.crt';
    5. $DB['VERIFY_HOST'] = true;
    6. $DB['CIPHER_LIST'] = '';

    Server