Configure Zabbix 7 SSL Certificates & Database Encryption

Secure your Zabbix 7 monitoring infrastructure with SSL certificates for the web interface, encrypted database connections, and TLS-protected agent communication. Essential for production monitoring environments.

Prerequisites

Zabbix 7 server installed
Apache web server running
MySQL or PostgreSQL database
Root or sudo access

What this solves

Zabbix 7 monitors your infrastructure but transmits sensitive data like credentials, performance metrics, and system information. This tutorial secures all communication channels with SSL/TLS encryption, protecting your monitoring data from interception and ensuring compliance with security standards.

Step-by-step configuration

Update system packages

Start by updating your package manager to ensure you have the latest security patches.

sudo apt update && sudo apt upgrade -y

sudo dnf update -y

Install SSL certificate tools

Install OpenSSL and certificate management tools for generating and managing SSL certificates.

sudo apt install -y openssl ca-certificates

sudo dnf install -y openssl ca-certificates

Create SSL certificate directory

Create a dedicated directory for Zabbix SSL certificates with proper ownership and permissions.

sudo mkdir -p /etc/zabbix/ssl
sudo chown zabbix:zabbix /etc/zabbix/ssl
sudo chmod 750 /etc/zabbix/ssl

Generate SSL certificates for web interface

Create a self-signed SSL certificate for the Zabbix web interface. For production, replace with certificates from a trusted CA.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout /etc/zabbix/ssl/zabbix-web.key \
  -out /etc/zabbix/ssl/zabbix-web.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=zabbix.example.com"

Set SSL certificate permissions

Configure proper ownership and permissions for the SSL certificates to ensure security while allowing Zabbix services to access them.

sudo chown zabbix:zabbix /etc/zabbix/ssl/zabbix-web.*
sudo chmod 600 /etc/zabbix/ssl/zabbix-web.key
sudo chmod 644 /etc/zabbix/ssl/zabbix-web.crt

Never use chmod 777. SSL private keys must be readable only by the service user. Using 777 would expose your private key to all system users.

Configure Apache SSL for Zabbix web interface

Enable Apache SSL module and configure virtual host with SSL termination for the Zabbix web interface.

sudo a2enmod ssl
sudo a2enmod rewrite

sudo dnf install -y mod_ssl

Create Apache SSL virtual host configuration

Create a secure Apache virtual host configuration that enables HTTPS and redirects HTTP traffic to HTTPS.


    ServerName zabbix.example.com
    Redirect permanent / https://zabbix.example.com/



    ServerName zabbix.example.com
    DocumentRoot /usr/share/zabbix
    
    SSLEngine on
    SSLCertificateFile /etc/zabbix/ssl/zabbix-web.crt
    SSLCertificateKeyFile /etc/zabbix/ssl/zabbix-web.key
    
    # Modern SSL configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    
    # Security headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    
    
        Options FollowSymLinks
        AllowOverride None
        Require all granted
        
        
            php_value max_execution_time 300
            php_value memory_limit 128M
            php_value post_max_size 16M
            php_value upload_max_filesize 2M
            php_value max_input_time 300
            php_value max_input_vars 10000
            php_value always_populate_raw_post_data -1
            php_value date.timezone Europe/London
        
    
    
    ErrorLog ${APACHE_LOG_DIR}/zabbix_ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/zabbix_ssl_access.log combined

Enable the SSL virtual host

Enable the new SSL virtual host and restart Apache to apply the SSL configuration.

sudo a2ensite zabbix-ssl
sudo a2dissite 000-default
sudo systemctl restart apache2

sudo systemctl restart httpd

Configure database SSL encryption

Generate SSL certificates for MySQL/PostgreSQL database connections to encrypt data in transit between Zabbix server and database.

sudo mkdir -p /etc/zabbix/ssl/db
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
  -keyout /etc/zabbix/ssl/db/client-key.pem \
  -out /etc/zabbix/ssl/db/client-cert.pem \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=zabbix-db-client"
sudo chown -R zabbix:zabbix /etc/zabbix/ssl/db
sudo chmod 600 /etc/zabbix/ssl/db/client-key.pem
sudo chmod 644 /etc/zabbix/ssl/db/client-cert.pem

Configure Zabbix server database SSL connection

Modify the Zabbix server configuration to use SSL for database connections, ensuring all database traffic is encrypted.

# Database SSL configuration
DBTLSConnect=required
DBTLSCertFile=/etc/zabbix/ssl/db/client-cert.pem
DBTLSKeyFile=/etc/zabbix/ssl/db/client-key.pem
DBTLSCAFile=/etc/zabbix/ssl/db/ca-cert.pem

Existing database configuration
DBHost=localhost
DBName=zabbix
DBUser=zabbix
DBPassword=your_secure_password

Server SSL configuration for agent communication
TLSCertFile=/etc/zabbix/ssl/zabbix-server.crt
TLSKeyFile=/etc/zabbix/ssl/zabbix-server.key
TLSCAFile=/etc/zabbix/ssl/ca.crt

Generate certificates for agent communication

Create SSL certificates for secure communication between Zabbix server and agents using TLS encryption.

# Create CA certificate
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \
  -keyout /etc/zabbix/ssl/ca.key \
  -out /etc/zabbix/ssl/ca.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=Zabbix-CA"

Create server certificate
sudo openssl req -nodes -newkey rsa:4096 \
  -keyout /etc/zabbix/ssl/zabbix-server.key \
  -out /etc/zabbix/ssl/zabbix-server.csr \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=zabbix-server"

sudo openssl x509 -req -days 365 \
  -in /etc/zabbix/ssl/zabbix-server.csr \
  -CA /etc/zabbix/ssl/ca.crt \
  -CAkey /etc/zabbix/ssl/ca.key \
  -CAcreateserial \
  -out /etc/zabbix/ssl/zabbix-server.crt

Set permissions
sudo chown zabbix:zabbix /etc/zabbix/ssl/zabbix-server.*
sudo chown zabbix:zabbix /etc/zabbix/ssl/ca.*
sudo chmod 600 /etc/zabbix/ssl/zabbix-server.key
sudo chmod 600 /etc/zabbix/ssl/ca.key
sudo chmod 644 /etc/zabbix/ssl/zabbix-server.crt
sudo chmod 644 /etc/zabbix/ssl/ca.crt

Configure Zabbix agent SSL communication

Generate agent certificates and configure the Zabbix agent to use TLS for secure communication with the server.

# Generate agent certificate
sudo openssl req -nodes -newkey rsa:4096 \
  -keyout /etc/zabbix/ssl/zabbix-agent.key \
  -out /etc/zabbix/ssl/zabbix-agent.csr \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=zabbix-agent"

sudo openssl x509 -req -days 365 \
  -in /etc/zabbix/ssl/zabbix-agent.csr \
  -CA /etc/zabbix/ssl/ca.crt \
  -CAkey /etc/zabbix/ssl/ca.key \
  -CAcreateserial \
  -out /etc/zabbix/ssl/zabbix-agent.crt

sudo chown zabbix:zabbix /etc/zabbix/ssl/zabbix-agent.*
sudo chmod 600 /etc/zabbix/ssl/zabbix-agent.key
sudo chmod 644 /etc/zabbix/ssl/zabbix-agent.crt

Update Zabbix agent configuration

Configure the Zabbix agent to use SSL certificates for encrypted communication with the Zabbix server.

# Server configuration
Server=203.0.113.10
ServerActive=203.0.113.10
Hostname=zabbix-agent-01

TLS configuration
TLSConnect=cert
TLSAccept=cert
TLSCertFile=/etc/zabbix/ssl/zabbix-agent.crt
TLSKeyFile=/etc/zabbix/ssl/zabbix-agent.key
TLSCAFile=/etc/zabbix/ssl/ca.crt
TLSServerCertIssuer=CN=Zabbix-CA
TLSServerCertSubject=CN=zabbix-server

Configure firewall rules for HTTPS

Open the necessary firewall ports for HTTPS web interface and secure Zabbix agent communication.

sudo ufw allow 443/tcp comment 'Zabbix HTTPS'
sudo ufw allow 10051/tcp comment 'Zabbix Server'
sudo ufw reload

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=10051/tcp
sudo firewall-cmd --reload

Restart Zabbix services

Restart all Zabbix services to apply the SSL configuration and enable encrypted communication.

sudo systemctl restart zabbix-server
sudo systemctl restart zabbix-agent
sudo systemctl status zabbix-server
sudo systemctl status zabbix-agent

Verify your setup

Test that SSL encryption is working correctly for all Zabbix components.

# Test HTTPS web interface
curl -k https://zabbix.example.com

Check SSL certificate
openssl s_client -connect zabbix.example.com:443 -servername zabbix.example.com

Verify Zabbix server SSL configuration
sudo zabbix_server -R config_cache_reload

Check agent TLS communication
zabbix_get -s 127.0.0.1 -p 10050 -k "system.uname" --tls-connect=cert \
  --tls-ca-file=/etc/zabbix/ssl/ca.crt \
  --tls-cert-file=/etc/zabbix/ssl/zabbix-server.crt \
  --tls-key-file=/etc/zabbix/ssl/zabbix-server.key

Check service status
sudo systemctl status zabbix-server zabbix-agent apache2

Configure web interface SSL settings

Update Zabbix web configuration

Configure the Zabbix web interface to use HTTPS and secure session handling.

Common issues

Symptom	Cause	Fix
SSL certificate errors in browser	Self-signed certificate not trusted	Add certificate to browser trust store or use CA-signed certificate
Zabbix server cannot connect to database	Database SSL not configured properly	Verify `DBTLSConnect` settings and certificate paths in server config
Agent communication fails with TLS errors	Certificate subject/issuer mismatch	Check `TLSServerCertSubject` and `TLSServerCertIssuer` match certificate values
Apache fails to start after SSL config	SSL certificate permission issues	Verify certificate ownership: `chown www-data:www-data /etc/zabbix/ssl/zabbix-web.*`
Zabbix web interface shows database connection error	PHP cannot access database certificates	Set proper ownership: `chown www-data:zabbix /etc/zabbix/ssl/db/*`

Security hardening

Additional security measures to further protect your Zabbix installation.

Configure session security

Enhance web interface session security with secure cookies and session timeout.

; Session security
session.cookie_secure = On
session.cookie_httponly = On
session.cookie_samesite = Strict
session.use_strict_mode = On

; Disable potentially dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen

; Hide PHP version
expose_php = Off

Set up log monitoring

Configure log monitoring to detect SSL-related issues and security events.

sudo mkdir -p /var/log/zabbix/ssl
sudo chown zabbix:zabbix /var/log/zabbix/ssl
sudo chmod 750 /var/log/zabbix/ssl

Add to zabbix_server.conf
echo "LogFile=/var/log/zabbix/ssl/zabbix_server.log" | sudo tee -a /etc/zabbix/zabbix_server.conf
echo "LogFileSize=10" | sudo tee -a /etc/zabbix/zabbix_server.conf

You now have a fully encrypted Zabbix 7 monitoring setup with SSL-protected web interface, encrypted database connections, and secure agent communication. This configuration is now compatible with the comprehensive alerting setup covered in our Zabbix alerting tutorial, and can be extended with distributed monitoring using our Zabbix proxy configuration guide.

Next steps

Running this in production?

Want this handled for you? Setting up Zabbix SSL once is straightforward. Keeping certificates renewed, monitoring encrypted properly, and maintaining security compliance across environments is the harder part. See how we run infrastructure like this for European SaaS and e-commerce teams.

Automated install script

Run this to automate the entire setup

install.sh

#!/usr/bin/env bash

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# Default values
DOMAIN="${1:-zabbix.$(hostname -f 2>/dev/null || echo 'localhost')}"
ORGANIZATION="${2:-Organization}"
SSL_DIR="/etc/zabbix/ssl"

# Usage function
usage() {
    echo "Usage: $0 [domain] [organization]"
    echo "Example: $0 zabbix.example.com 'My Company'"
    exit 1
}

# Logging functions
log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }

# Cleanup function
cleanup() {
    log_error "Script failed. Check the logs above."
    if [ -d "$SSL_DIR" ]; then
        log_warn "Cleaning up SSL directory..."
        rm -rf "$SSL_DIR"
    fi
}

# Set trap for cleanup on error
trap cleanup ERR

# Check if running as root or with sudo
if [[ $EUID -ne 0 ]]; then
    log_error "This script must be run as root or with sudo"
    exit 1
fi

# Detect distribution
if [ -f /etc/os-release ]; then
    . /etc/os-release
    case "$ID" in
        ubuntu|debian)
            PKG_MGR="apt"
            PKG_UPDATE="apt update && apt upgrade -y"
            PKG_INSTALL="apt install -y"
            WEB_SERVER="apache2"
            WEB_CONFIG_DIR="/etc/apache2/sites-available"
            WEB_CONFIG_ENABLE="a2ensite"
            WEB_CONFIG_DISABLE="a2dissite"
            WEB_MODULE_ENABLE="a2enmod"
            LOG_DIR="/var/log/apache2"
            ;;
        almalinux|rocky|centos|rhel|ol|fedora)
            PKG_MGR="dnf"
            PKG_UPDATE="dnf update -y"
            PKG_INSTALL="dnf install -y"
            WEB_SERVER="httpd"
            WEB_CONFIG_DIR="/etc/httpd/conf.d"
            LOG_DIR="/var/log/httpd"
            ;;
        amzn)
            PKG_MGR="yum"
            PKG_UPDATE="yum update -y"
            PKG_INSTALL="yum install -y"
            WEB_SERVER="httpd"
            WEB_CONFIG_DIR="/etc/httpd/conf.d"
            LOG_DIR="/var/log/httpd"
            ;;
        *)
            log_error "Unsupported distribution: $ID"
            exit 1
            ;;
    esac
else
    log_error "Cannot detect distribution. /etc/os-release not found."
    exit 1
fi

log_info "Detected distribution: $ID"
log_info "Configuring Zabbix SSL for domain: $DOMAIN"

echo "[1/10] Updating system packages..."
$PKG_UPDATE

echo "[2/10] Installing SSL certificate tools..."
$PKG_INSTALL openssl ca-certificates

echo "[3/10] Installing web server and SSL modules..."
if [ "$PKG_MGR" = "apt" ]; then
    $PKG_INSTALL apache2
    $WEB_MODULE_ENABLE ssl
    $WEB_MODULE_ENABLE rewrite
    $WEB_MODULE_ENABLE headers
else
    $PKG_INSTALL httpd mod_ssl
fi

echo "[4/10] Creating SSL certificate directory..."
mkdir -p "$SSL_DIR"

# Check if zabbix user exists, create if not
if ! id "zabbix" &>/dev/null; then
    log_warn "Zabbix user not found. Creating zabbix user..."
    useradd -r -s /sbin/nologin zabbix
fi

chown zabbix:zabbix "$SSL_DIR"
chmod 750 "$SSL_DIR"

echo "[5/10] Generating SSL certificates..."
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout "$SSL_DIR/zabbix-web.key" \
    -out "$SSL_DIR/zabbix-web.crt" \
    -subj "/C=US/ST=State/L=City/O=$ORGANIZATION/CN=$DOMAIN"

echo "[6/10] Setting SSL certificate permissions..."
chown zabbix:zabbix "$SSL_DIR"/zabbix-web.*
chmod 600 "$SSL_DIR/zabbix-web.key"
chmod 644 "$SSL_DIR/zabbix-web.crt"

echo "[7/10] Creating Apache SSL virtual host configuration..."

if [ "$PKG_MGR" = "apt" ]; then
    # Debian/Ubuntu configuration
    cat > "$WEB_CONFIG_DIR/zabbix-ssl.conf" << EOF
<VirtualHost *:80>
    ServerName $DOMAIN
    Redirect permanent / https://$DOMAIN/
</VirtualHost>

<VirtualHost *:443>
    ServerName $DOMAIN
    DocumentRoot /usr/share/zabbix
    
    SSLEngine on
    SSLCertificateFile $SSL_DIR/zabbix-web.crt
    SSLCertificateKeyFile $SSL_DIR/zabbix-web.key
    
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    
    <Directory "/usr/share/zabbix">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    
    ErrorLog $LOG_DIR/zabbix_ssl_error.log
    CustomLog $LOG_DIR/zabbix_ssl_access.log combined
</VirtualHost>
EOF
else
    # RHEL/CentOS configuration
    cat > "$WEB_CONFIG_DIR/zabbix-ssl.conf" << EOF
<VirtualHost *:80>
    ServerName $DOMAIN
    Redirect permanent / https://$DOMAIN/
</VirtualHost>

<VirtualHost *:443>
    ServerName $DOMAIN
    DocumentRoot /usr/share/zabbix
    
    SSLEngine on
    SSLCertificateFile $SSL_DIR/zabbix-web.crt
    SSLCertificateKeyFile $SSL_DIR/zabbix-web.key
    
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off
    SSLSessionTickets off
    
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    
    <Directory "/usr/share/zabbix">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    
    ErrorLog $LOG_DIR/zabbix_ssl_error.log
    CustomLog $LOG_DIR/zabbix_ssl_access.log combined
</VirtualHost>
EOF
fi

echo "[8/10] Configuring web server..."
if [ "$PKG_MGR" = "apt" ]; then
    $WEB_CONFIG_ENABLE zabbix-ssl
    if [ -f "$WEB_CONFIG_DIR/000-default.conf" ]; then
        $WEB_CONFIG_DISABLE 000-default || true
    fi
fi

echo "[9/10] Configuring firewall..."
if command -v ufw >/dev/null 2>&1; then
    ufw allow 80/tcp
    ufw allow 443/tcp
elif command -v firewall-cmd >/dev/null 2>&1; then
    firewall-cmd --permanent --add-service=http
    firewall-cmd --permanent --add-service=https
    firewall-cmd --reload
fi

echo "[10/10] Starting and enabling web server..."
systemctl enable "$WEB_SERVER"
systemctl restart "$WEB_SERVER"

# Verification checks
echo "Verifying configuration..."
if systemctl is-active --quiet "$WEB_SERVER"; then
    log_info "Web server is running"
else
    log_error "Web server failed to start"
    exit 1
fi

if [ -f "$SSL_DIR/zabbix-web.crt" ] && [ -f "$SSL_DIR/zabbix-web.key" ]; then
    log_info "SSL certificates created successfully"
else
    log_error "SSL certificates not found"
    exit 1
fi

log_info "Zabbix SSL configuration completed successfully!"
log_info "Access your Zabbix installation at: https://$DOMAIN"
log_warn "Note: You're using a self-signed certificate. For production, replace with a trusted CA certificate."

Review the script before running. Execute with: bash install.sh

#zabbix #ssl #encryption #https #tls

Configure Zabbix 7 with SSL certificates and database encryption

Prerequisites

What this solves

Step-by-step configuration

Update system packages

Install SSL certificate tools

Create SSL certificate directory

Generate SSL certificates for web interface

Set SSL certificate permissions

Configure Apache SSL for Zabbix web interface

Create Apache SSL virtual host configuration

Enable the SSL virtual host

Configure database SSL encryption

Configure Zabbix server database SSL connection

Existing database configuration

Server SSL configuration for agent communication

Generate certificates for agent communication

Create server certificate

Set permissions

Configure Zabbix agent SSL communication

Update Zabbix agent configuration

TLS configuration

Configure firewall rules for HTTPS

Restart Zabbix services

Verify your setup

Check SSL certificate

Verify Zabbix server SSL configuration

Check agent TLS communication

Check service status

Configure web interface SSL settings

Update Zabbix web configuration

Common issues

Security hardening

Configure session security

Set up log monitoring

Add to zabbix_server.conf

Next steps

Running this in production?

Related tutorials

Implement Envoy proxy JWT authentication with OAuth2 integration

Implement Podman pod security with network policies and microsegmentation

Implement Airflow DAG security scanning with Bandit and safety checks

Don't want to manage this yourself?