{"id":294,"date":"2026-04-08T01:11:23","date_gmt":"2026-04-07T23:11:23","guid":{"rendered":"https:\/\/pandack.fr\/?p=294"},"modified":"2026-04-08T01:11:23","modified_gmt":"2026-04-07T23:11:23","slug":"installation-zabbix","status":"publish","type":"post","link":"https:\/\/pandack.fr\/?p=294","title":{"rendered":"Installation-Zabbix"},"content":{"rendered":"<h2>Installation Zabbix 7.2 \u2014 Guide complet<\/h2>\n<h4>R\u00e9sum\u00e9<\/h4>\n<p>Installation de Zabbix Server 7.2 sur Ubuntu 24.04 avec base MariaDB distante (10.10.20.40), acc\u00e8s HTTPS via certificat FSEC-CA, et authentification LDAPS vers Active Directory (fsec.lan).<\/p>\n<h2>1. Pr\u00e9requis<\/h2>\n<table>\n<thead>\n<tr>\n<th>Composant<\/th>\n<th>D\u00e9tail<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>VM<\/td>\n<td>Ubuntu 24.04 LTS \u2014 10.10.20.31<\/td>\n<\/tr>\n<tr>\n<td>Base de donn\u00e9es<\/td>\n<td>MariaDB distante \u2014 10.10.20.40<\/td>\n<\/tr>\n<tr>\n<td>Domaine AD<\/td>\n<td>fsec.lan (DC01 = 10.10.20.10)<\/td>\n<\/tr>\n<tr>\n<td>PKI<\/td>\n<td>FSEC-CA (AD CS sur DC01)<\/td>\n<\/tr>\n<tr>\n<td>DNS<\/td>\n<td>zabbix.fsec.lan \u2192 10.10.20.31<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>2. Installation des paquets Zabbix<\/h2>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Ajouter le d\u00e9p\u00f4t Zabbix 7.2\nwget https:\/\/repo.zabbix.com\/zabbix\/7.2\/release\/ubuntu\/pool\/main\/z\/zabbix-release\/zabbix-release_latest_7.2+ubuntu24.04_all.deb\ndpkg -i zabbix-release_latest_7.2+ubuntu24.04_all.deb\napt update\n\n# Installer Zabbix Server, Frontend et Agent\napt install -y zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent2<\/code><\/pre>\n<\/div>\n<h2>3. Pr\u00e9parer la base MariaDB (sur 10.10.20.40)<\/h2>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">sql<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-sql\">-- Se connecter \u00e0 MariaDB\nmysql -u root -p\n\n-- Cr\u00e9er la base et l&#039;utilisateur\nCREATE DATABASE zabbix CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;\nCREATE USER &#039;zabbix&#039;@&#039;10.10.20.31&#039; IDENTIFIED BY &#039;MotDePasseZabbix&#039;;\nGRANT ALL PRIVILEGES ON zabbix.* TO &#039;zabbix&#039;@&#039;10.10.20.31&#039;;\nSET GLOBAL log_bin_trust_function_creators = 1;\nFLUSH PRIVILEGES;<\/code><\/pre>\n<\/div>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Depuis la VM Zabbix : importer le sch\u00e9ma initial\nzcat \/usr\/share\/zabbix-sql-scripts\/mysql\/server.sql.gz | mysql --default-character-set=utf8mb4 -uzabbix -p -h 10.10.20.40 zabbix<\/code><\/pre>\n<\/div>\n<h2>4. Configurer Zabbix Server<\/h2>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">nano \/etc\/zabbix\/zabbix_server.conf<\/code><\/pre>\n<\/div>\n<p>Lignes importantes \u00e0 modifier :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">ini<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-ini\">DBHost=10.10.20.40\nDBName=zabbix\nDBUser=zabbix\nDBPassword=MotDePasseZabbix\nDBPort=3306<\/code><\/pre>\n<\/div>\n<blockquote>\n<p>\u26a0\ufe0f <strong>Point important Zabbix 7.2<\/strong> : dans le wizard web, il faut mettre le port <code>3306<\/code> explicitement et <strong>ne pas cocher TLS<\/strong> pour la connexion MariaDB.<\/p>\n<\/blockquote>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">systemctl enable --now zabbix-server zabbix-agent2 apache2<\/code><\/pre>\n<\/div>\n<h2>5. Wizard web (premi\u00e8re configuration)<\/h2>\n<p>Acc\u00e9der \u00e0 <code>http:\/\/10.10.20.31\/zabbix<\/code> :<\/p>\n<ol>\n<li>Langue \u2192 <strong>French<\/strong><\/li>\n<li>V\u00e9rification des pr\u00e9requis \u2192 tout doit \u00eatre \u2714<\/li>\n<li>Base de donn\u00e9es : Host <code>10.10.20.40<\/code>, Port <code>3306<\/code>, DB <code>zabbix<\/code>, User <code>zabbix<\/code>, TLS <strong>d\u00e9coch\u00e9<\/strong><\/li>\n<li>Server name \u2192 <code>FSEC-Zabbix<\/code><\/li>\n<li>Timezone \u2192 <code>Europe\/Paris<\/code><\/li>\n<li>Login par d\u00e9faut : <code>Admin<\/code> \/ <code>zabbix<\/code> \u2192 <strong>changer imm\u00e9diatement le mot de passe<\/strong><\/li>\n<\/ol>\n<h2>6. Certificat HTTPS (FSEC-CA)<\/h2>\n<h3>Pourquoi ?<\/h3>\n<p>On veut que l&rsquo;acc\u00e8s \u00e0 Zabbix soit en HTTPS avec un certificat sign\u00e9 par notre autorit\u00e9 de certification interne (FSEC-CA sur DC01). C&rsquo;est coh\u00e9rent avec le reste du lab (pfSense est aussi en HTTPS sur port 8443).<\/p>\n<h3>\u00c9tape 6.1 \u2014 G\u00e9n\u00e9rer la cl\u00e9 priv\u00e9e et la CSR sur Zabbix<\/h3>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Cr\u00e9er le dossier pour les certificats\nmkdir -p \/etc\/ssl\/zabbix\n\n# G\u00e9n\u00e9rer la cl\u00e9 priv\u00e9e (2048 bits)\n# C&#039;est la cl\u00e9 secr\u00e8te du serveur, elle ne doit JAMAIS quitter cette machine\nopenssl genrsa -out \/etc\/ssl\/zabbix\/zabbix.key 2048<\/code><\/pre>\n<\/div>\n<blockquote><p><strong>C&rsquo;est quoi une cl\u00e9 priv\u00e9e ?<\/strong><\/p>\n<p>C&rsquo;est comme la cl\u00e9 de ta maison. Elle permet de d\u00e9chiffrer ce qui a \u00e9t\u00e9 chiffr\u00e9 avec la cl\u00e9 publique correspondante. Elle reste sur le serveur, on ne la transmet jamais.<\/p>\n<\/blockquote>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Cr\u00e9er le fichier d&#039;extensions avec SAN (Subject Alternative Name)\nnano \/etc\/ssl\/zabbix\/zabbix.ext<\/code><\/pre>\n<\/div>\n<p>Contenu du fichier <code>zabbix.ext<\/code> :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">ini<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-ini\">[req]\nreq_extensions = v3_req\ndistinguished_name = req_distinguished_name\n\n[req_distinguished_name]\n\n[v3_req]\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = zabbix.fsec.lan\nIP.1 = 10.10.20.31<\/code><\/pre>\n<\/div>\n<blockquote><p><strong>Pourquoi le SAN ?<\/strong><\/p>\n<p>Les navigateurs modernes (Chrome, Edge, Firefox) ne se contentent plus du CN (Common Name) dans le certificat. Ils exigent un champ SAN qui liste explicitement les noms DNS et IPs autoris\u00e9s. Sans SAN \u2192 erreur <code>NET::ERR_CERT_COMMON_NAME_INVALID<\/code>.<\/p>\n<\/blockquote>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># G\u00e9n\u00e9rer la CSR (Certificate Signing Request)\nopenssl req -new \n  -key \/etc\/ssl\/zabbix\/zabbix.key \n  -out \/etc\/ssl\/zabbix\/zabbix.csr \n  -subj &quot;\/CN=zabbix.fsec.lan\/O=FSEC\/C=FR&quot; \n  -config \/etc\/ssl\/zabbix\/zabbix.ext\n\n# Afficher la CSR pour la copier\ncat \/etc\/ssl\/zabbix\/zabbix.csr<\/code><\/pre>\n<\/div>\n<blockquote><p><strong>C&rsquo;est quoi une CSR ?<\/strong><\/p>\n<p>C&rsquo;est une demande de signature. Elle contient la cl\u00e9 publique + les informations d&rsquo;identit\u00e9 (CN, Organisation, etc.). On l&rsquo;envoie \u00e0 l&rsquo;autorit\u00e9 de certification (FSEC-CA) pour qu&rsquo;elle la signe et g\u00e9n\u00e8re le certificat final.<\/p>\n<\/blockquote>\n<h3>\u00c9tape 6.2 \u2014 Signer la CSR avec AD CS (sur DC01)<\/h3>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">powershell<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-powershell\"># Activer le support SAN dans AD CS (une seule fois)\ncertutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2\nRestart-Service certsvc\n\n# Cr\u00e9er le fichier CSR sur DC01\nnotepad C:Tempzabbix.csr\n# \u2192 Coller le contenu copi\u00e9 depuis la VM Zabbix\n\n# Signer avec FSEC-CA en incluant le SAN\ncertreq -submit -attrib &quot;CertificateTemplate:WebServer`nsan:dns=zabbix.fsec.lan&amp;ipaddress=10.10.20.31&quot; C:Tempzabbix.csr C:Tempzabbix.crt\n# \u2192 S\u00e9lectionner FSEC-CA si une fen\u00eatre s&#039;ouvre\n\n# Afficher le certificat pour le copier\ntype C:Tempzabbix.crt<\/code><\/pre>\n<\/div>\n<blockquote><p><strong>C&rsquo;est quoi AD CS ?<\/strong><\/p>\n<p>Active Directory Certificate Services \u2014 c&rsquo;est notre propre autorit\u00e9 de certification (CA) interne. Elle peut signer des certificats pour tous les serveurs du domaine. Les machines du domaine font confiance \u00e0 FSEC-CA automatiquement (via GPO).<\/p>\n<\/blockquote>\n<h3>\u00c9tape 6.3 \u2014 Installer le certificat sur Zabbix<\/h3>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Coller le contenu du certificat sign\u00e9\nnano \/etc\/ssl\/zabbix\/zabbix.crt\n# \u2192 Coller depuis DC01\n\n# V\u00e9rifier que les 3 fichiers sont pr\u00e9sents\nls -la \/etc\/ssl\/zabbix\/\n# zabbix.key  (cl\u00e9 priv\u00e9e)\n# zabbix.csr  (demande de signature \u2014 plus n\u00e9cessaire mais on la garde)\n# zabbix.crt  (certificat sign\u00e9 par FSEC-CA)\n# zabbix.ext  (fichier de config SAN)<\/code><\/pre>\n<\/div>\n<h3>\u00c9tape 6.4 \u2014 Configurer Apache pour HTTPS<\/h3>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Activer les modules SSL et rewrite\na2enmod ssl rewrite\n\n# Cr\u00e9er le VirtualHost HTTPS\nnano \/etc\/apache2\/sites-available\/zabbix-ssl.conf<\/code><\/pre>\n<\/div>\n<p>Contenu :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">apache<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-apache\">&lt;VirtualHost *:443&gt;\n    ServerName zabbix.fsec.lan\n    DocumentRoot \/usr\/share\/zabbix\/ui\n\n    SSLEngine on\n    SSLCertificateFile    \/etc\/ssl\/zabbix\/zabbix.crt\n    SSLCertificateKeyFile \/etc\/ssl\/zabbix\/zabbix.key\n\n    Include \/etc\/apache2\/conf-available\/zabbix.conf\n&lt;\/VirtualHost&gt;\n\n&lt;VirtualHost *:80&gt;\n    ServerName zabbix.fsec.lan\n    Redirect permanent \/ https:\/\/zabbix.fsec.lan\/\n&lt;\/VirtualHost&gt;<\/code><\/pre>\n<\/div>\n<blockquote>\n<p>\u26a0\ufe0f <strong>Pi\u00e8ge Zabbix 7.2<\/strong> : le DocumentRoot est <code>\/usr\/share\/zabbix\/ui<\/code> (avec <code>\/ui<\/code>), pas <code>\/usr\/share\/zabbix<\/code>. Si tu te trompes \u2192 page blanche ou erreur 403.<\/p>\n<\/blockquote>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Activer le site SSL et d\u00e9sactiver le site par d\u00e9faut\na2ensite zabbix-ssl.conf\na2dissite 000-default.conf\n\n# Red\u00e9marrer Apache\nsystemctl restart apache2<\/code><\/pre>\n<\/div>\n<h3>\u00c9tape 6.5 \u2014 Cr\u00e9er l&rsquo;enregistrement DNS<\/h3>\n<p>Sur DC01 en PowerShell :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">powershell<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-powershell\">Add-DnsServerResourceRecordA -Name &quot;zabbix&quot; -ZoneName &quot;fsec.lan&quot; -IPv4Address &quot;10.10.20.31&quot;\n\n# V\u00e9rifier\nResolve-DnsName zabbix.fsec.lan<\/code><\/pre>\n<\/div>\n<h3>R\u00e9sultat attendu<\/h3>\n<p><code>https:\/\/zabbix.fsec.lan<\/code> \u2192 page de login Zabbix avec cadenas vert (si la FSEC-CA est dans le magasin de confiance du navigateur).<\/p>\n<h2>7. Authentification LDAPS vers AD<\/h2>\n<h3>Pourquoi LDAPS et pas LDAP ?<\/h3>\n<p>Windows Server 2025 <strong>refuse les connexions LDAP simples<\/strong> (port 389) \u2014 il exige soit LDAPS (port 636) soit du LDAP avec signing. C&rsquo;est une s\u00e9curit\u00e9 renforc\u00e9e par d\u00e9faut dans WS2025. On a eu exactement le m\u00eame probl\u00e8me avec GLPI (CP1).<\/p>\n<h3>\u00c9tape 7.1 \u2014 Cr\u00e9er le compte de service dans AD<\/h3>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">powershell<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-powershell\"># Sur DC01\nNew-ADUser -Name &quot;svc-zabbix&quot; `\n  -SamAccountName &quot;svc-zabbix&quot; `\n  -UserPrincipalName &quot;svc-zabbix@fsec.lan&quot; `\n  -Path &quot;OU=_Services,OU=_UTILISATEURS,DC=fsec,DC=lan&quot; `\n  -AccountPassword (ConvertTo-SecureString &quot;MotDePasse!&quot; -AsPlainText -Force) `\n  -PasswordNeverExpires $true `\n  -Enabled $true<\/code><\/pre>\n<\/div>\n<h3>\u00c9tape 7.2 \u2014 Configurer TLS sur Zabbix<\/h3>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># Tester la connexion LDAPS depuis Zabbix\nldapsearch -x -H ldaps:\/\/10.10.20.10:636 \n  -D &quot;CN=svc-zabbix,OU=_Services,OU=_UTILISATEURS,DC=fsec,DC=lan&quot; \n  -w &quot;MotDePasse!&quot; \n  -b &quot;DC=fsec,DC=lan&quot; &quot;(sAMAccountName=svc-zabbix)&quot;<\/code><\/pre>\n<\/div>\n<p>Si erreur <code>Can&#039;t contact LDAP server<\/code> :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\"># D\u00e9sactiver la v\u00e9rification du certificat TLS\necho &quot;TLS_REQCERT never&quot; &gt;&gt; \/etc\/ldap\/ldap.conf<\/code><\/pre>\n<\/div>\n<blockquote><p><strong>Pourquoi TLS_REQCERT never ?<\/strong><\/p>\n<p>Le client LDAP (Zabbix) v\u00e9rifie normalement le certificat du serveur AD. Comme notre certificat FSEC-CA n&rsquo;est pas dans le magasin de confiance du syst\u00e8me Linux, il refuse la connexion. <code>TLS_REQCERT never<\/code> d\u00e9sactive cette v\u00e9rification. En production, on importerait plut\u00f4t le certificat CA.<\/p>\n<\/blockquote>\n<p>Pour que Zabbix web (Apache\/PHP) prenne aussi en compte ce param\u00e8tre :<\/p>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">bash<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code class=\"language-bash\">echo &quot;LDAPTLS_REQCERT=never&quot; &gt;&gt; \/etc\/apache2\/envvars\nsystemctl restart apache2<\/code><\/pre>\n<\/div>\n<h3>\u00c9tape 7.3 \u2014 Configurer LDAP dans l&rsquo;interface Zabbix<\/h3>\n<p><strong>Utilisateurs \u2192 Authentification \u2192 LDAP \u2192 Ajouter<\/strong><\/p>\n<table>\n<thead>\n<tr>\n<th>Param\u00e8tre<\/th>\n<th>Valeur<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Nom<\/td>\n<td><code>FSEC-AD<\/code><\/td>\n<\/tr>\n<tr>\n<td>H\u00f4te<\/td>\n<td><code>ldaps:\/\/10.10.20.10<\/code><\/td>\n<\/tr>\n<tr>\n<td>Port<\/td>\n<td><code>636<\/code><\/td>\n<\/tr>\n<tr>\n<td>Base DN<\/td>\n<td><code>DC=fsec,DC=lan<\/code><\/td>\n<\/tr>\n<tr>\n<td>Search attribute<\/td>\n<td><code>sAMAccountName<\/code><\/td>\n<\/tr>\n<tr>\n<td>Bind DN<\/td>\n<td><code>CN=svc-zabbix,OU=_Services,OU=_UTILISATEURS,DC=fsec,DC=lan<\/code><\/td>\n<\/tr>\n<tr>\n<td>Bind password<\/td>\n<td>mot de passe du compte<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Tester avec un compte AD (pas Admin qui est un compte local Zabbix).<\/p>\n<h2>8. R\u00e9sum\u00e9 du flux des certificats<\/h2>\n<div class=\"code-block-wrapper\">\n<div class=\"code-block-header\"><span class=\"code-language\">code<\/span><button class=\"code-copy-btn\" type=\"button\">Copier<\/button><\/div>\n<pre><code>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502  VM Zabbix           \u2502\n\u2502  1. G\u00e9n\u00e8re cl\u00e9 priv\u00e9e\u2502 \u2190 reste sur le serveur\n\u2502  2. G\u00e9n\u00e8re CSR       \u2502 \u2190 contient cl\u00e9 publique + infos identit\u00e9\n\u2502  3. Envoie CSR \u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502                      \u2502      \u2502\n\u2502  5. Re\u00e7oit le .crt   \u2502      \u25bc\n\u2502     (certificat sign\u00e9)\u2502  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502  6. Configure Apache \u2502  \u2502  DC01 (FSEC-CA)\u2502\n\u2502     avec .crt + .key \u2502  \u2502  4. Signe la CSR\u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518  \u2502     \u2192 g\u00e9n\u00e8re .crt\u2502\n                          \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<\/code><\/pre>\n<\/div>\n<p><strong>En r\u00e9sum\u00e9 :<\/strong><\/p>\n<ol>\n<li><strong>cl\u00e9 priv\u00e9e<\/strong> (.key) = secret du serveur, ne sort jamais<\/li>\n<li><strong>CSR<\/strong> (.csr) = demande de signature envoy\u00e9e \u00e0 la CA<\/li>\n<li><strong>certificat<\/strong> (.crt) = identit\u00e9 du serveur valid\u00e9e par la CA<\/li>\n<li><strong>SAN<\/strong> = liste des noms\/IPs autoris\u00e9s dans le certificat (obligatoire pour les navigateurs modernes)<\/li>\n<li><strong>FSEC-CA<\/strong> = notre autorit\u00e9 de certification qui signe tout dans le domaine<\/li>\n<\/ol>\n<h2>Erreurs rencontr\u00e9es et solutions<\/h2>\n<table>\n<thead>\n<tr>\n<th>Erreur<\/th>\n<th>Cause<\/th>\n<th>Solution<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Page blanche HTTPS<\/td>\n<td>DocumentRoot incorrect (<code>\/usr\/share\/zabbix<\/code> au lieu de <code>\/usr\/share\/zabbix\/ui<\/code>)<\/td>\n<td>Corriger dans le VirtualHost Apache<\/td>\n<\/tr>\n<tr>\n<td><code>NET::ERR_CERT_COMMON_NAME_INVALID<\/code><\/td>\n<td>Pas de SAN dans le certificat<\/td>\n<td>Reg\u00e9n\u00e9rer la CSR avec un fichier <code>.ext<\/code> contenant les SAN<\/td>\n<\/tr>\n<tr>\n<td><code>sed<\/code> appliqu\u00e9 plusieurs fois<\/td>\n<td>Le chemin <code>\/usr\/share\/zabbix<\/code> a \u00e9t\u00e9 remplac\u00e9 en <code>\/usr\/share\/zabbix\/ui\/ui\/ui<\/code><\/td>\n<td>Restaurer depuis le backup, appliquer <code>sed<\/code> une seule fois<\/td>\n<\/tr>\n<tr>\n<td>LDAP <code>Strong authentication required<\/code><\/td>\n<td>WS2025 refuse LDAP simple (port 389)<\/td>\n<td>Utiliser LDAPS (port 636)<\/td>\n<\/tr>\n<tr>\n<td>LDAPS <code>Can&#039;t contact LDAP server<\/code><\/td>\n<td>Certificat CA non reconnu par Linux<\/td>\n<td><code>TLS_REQCERT never<\/code> dans <code>\/etc\/ldap\/ldap.conf<\/code><\/td>\n<\/tr>\n<tr>\n<td>Zabbix web LDAP \u00e9choue<\/td>\n<td>Apache\/PHP ne lit pas <code>\/etc\/ldap\/ldap.conf<\/code><\/td>\n<td>Ajouter <code>LDAPTLS_REQCERT=never<\/code> dans <code>\/etc\/apache2\/envvars<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Installation Zabbix 7.2 \u2014 Guide complet R\u00e9sum\u00e9 Installation de Zabbix Server 7.2 sur Ubuntu 24.04 avec base MariaDB distante (10.10.20.40), acc\u00e8s HTTPS via certificat FSEC-CA, et authentification LDAP<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[166,172],"tags":[],"class_list":["post-294","post","type-post","status-publish","format-standard","hentry","category-infrastructure","category-infrastructure-siem"],"_links":{"self":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/posts\/294","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=294"}],"version-history":[{"count":0,"href":"https:\/\/pandack.fr\/index.php?rest_route=\/wp\/v2\/posts\/294\/revisions"}],"wp:attachment":[{"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=294"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pandack.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}