2. Setting Up SSL on Zabbix (Apache) - Ubuntu 18.04

In this post, I am going to HTTPS access on Zabbix Server.

IMPORTANT NOTE: I experienced that if I export my certificate files (certificate.crt file as primary.crt) and keep them somewhere for a while and then if I import those certificate file on my server to be used with apache. They cause Apache service to FAIL just after I run "a2enmod" ssl command. So export your certificates again everytime you need certs on new apache servers.

 In my case, I have a pfx certificate that I got from GlobalSign and I need to convert this certificate to crt and get private key out of it in order to use on the Apache SSL Setup.

I am using OpenSSL and run following 3 openssl commands to have the certificate files that I need:

Run the following command to export the private key: (This will generate key.pem)

openssl pkcs12 -in certname.pfx -nocerts -out key.pem –nodes

Run the following command to remove the passphrase from the private key: (This will generate server.key)

openssl rsa -in key.pem -out server.key

Run to convert certificate file pfx to crt (This will generate certificate.crt)

 openssl pkcs12 -in certname.pfx -clcerts -nokeys -out certificate.crt

Rename server.key file as private.key and rename certificate.crt file as primary.crt.

Copy these 2 files to apache server. You can use WinSCP to copy these files from Windows to Linux. The files will be copied to /home/linuxuser folder

Create a folder for your certificates and set permission 700 for that folder

Copy your primary.crt and private.key to /etc/apache2/ssl folder. 

Edit your /etc/hosts file and add your websites address

nano /etc/hosts

x.x.x.x     yourwebsite.com

Modify Default SSL config:

nano /etc/apache2/sites-available/default-ssl.conf

--------------------------------------------

<IfModule mod_ssl.c>

        <VirtualHost _default_:443>

                ServerAdmin webmaster@localhost

                ServerName zabbix.yourdomain.com

                ServerAlias zabbix.yourdomain.com

                DocumentRoot /var/www/html

SSLEngine on

SSLCertificateFile      /etc/apache2/ssl/primary.crt

SSLCertificateKeyFile /etc/apache2/ssl/private.key

</VirtualHost>

</IfModule>

--------------------------------------------

Check if config is set correctly

apache2ctl configtest

Enable SSL for default-ssl

a2ensite default-ssl

Enable SSL module

a2enmod ssl

systemctl restart apache2 

 We just enable https access on Apache. If you need to redirect http request to https you can also edit your 000-default.conf file

Nano /etc/apache2/sites-available/000-default.conf

 -----------------------------------------------------------

<VirtualHost *:80>

    RewriteEngine On

    RewriteCond %{HTTPS} off

    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  -----------------------------------------------------------

And Finally run the command below

a2enmod rewrite 

By default we use yourdomain.com/zabbix to access zabbix Web GUI. I would like to reach zabbix server by typing only the domain name like yourdomain.com. To do this: 

nano /etc/apache2/sites-available/000-default.conf

Change the DocumentRoot from /var/www/html to /usr/share/zabbix

Then

nano /etc/apache2/conf-available/zabbix.conf

Comment out the below line

# Alias /zabbix /usr/share/zabbix

Restart apache service:

service apache2 restart 

Now everything looks pretty :)