[comment]: # ({548dd6db-e03ef403})
# 17 Google Chrome TLS certificate trust

[comment]: # ({/548dd6db-e03ef403})

[comment]: # ({6db422e5-eaab320d})
#### Overview

This page provides Zabbix setup steps and configuration examples for using Google Chrome with Zabbix frontend or zabbix-web-service endpoints secured by a self-signed certificate or a private certificate authority.

These instructions assume that the target web server is already configured for HTTPS.
For configuring TLS on the Zabbix frontend, see [Secure connection to the frontend](/manual/appendix/install/frontend_encrypt).

[comment]: # ({/6db422e5-eaab320d})

[comment]: # ({a5271137-d13fee2a})
#### Configuration

Google Chrome on Linux uses a per-user NSS certificate database for trusted certificates.
To make Chrome trust a self-signed certificate or a private certificate authority, add the required certificates to the NSS database of the user account that runs Chrome.

1\. Install required packages.

For Debian/Ubuntu:

```bash
sudo apt install ca-certificates libnss3-tools
```

For RHEL-based systems:

```bash
sudo dnf install ca-certificates nss-tools
```

Or:

```bash
sudo yum install ca-certificates nss-tools
```

2\. Prepare certificate files.

For each certificate needed: create a PEM-based `.crt` file for the self-signed certificate, or create separate PEM-based `.crt` files for the root certificate authority certificate and, if required, each intermediate certificate.

3\. Create the NSS database directory.

Use the home directory of the user that runs Chrome.

For example:

```bash
sudo mkdir -p /var/lib/zabbix/.pki/nssdb
sudo -u zabbix certutil -N -d sql:/var/lib/zabbix/.pki/nssdb
sudo chown -R zabbix:zabbix /var/lib/zabbix/.pki/nssdb
```

If Chrome on the target system uses a different NSS database location, use that directory instead.

Make sure the certificate files are readable by the user that runs Google Chrome.
If necessary, copy them to a location accessible to that user.

4\. Import the certificates.

If using a self-signed certificate:

```bash
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb \
  -A -t "P,," \
  -n "Zabbix self-signed certificate" \
  -i /path/to/self-signed.crt
```

If using a private certificate authority, import the root certificate authority certificate into the database:

```bash
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb \
  -A -t "C,," \
  -n "Zabbix root certificate authority" \
  -i /path/to/root-ca.crt
```

If any intermediate certificates are used, import each one separately:

```bash
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb \
  -A -t ",," \
  -n "Zabbix intermediate certificate" \
  -i /path/to/intermediate-ca.crt
```

5\. Verify the certificate database.

```bash
sudo -u zabbix certutil -d sql:/var/lib/zabbix/.pki/nssdb -L
```

6\. Test Chrome.

Google Chrome uses the certificate database of the user account that launches it.
If the user account does not have a writable home directory, configure a writable home and XDG directories before running the test.

Example (replace `google-chrome` with `chromium` if Chromium is used.):

```bash
sudo -u zabbix env \
  HOME=/var/lib/zabbix-home \
  XDG_CONFIG_HOME=/var/lib/zabbix-home/.config \
  XDG_DATA_HOME=/var/lib/zabbix-home/.local/share \
  XDG_CACHE_HOME=/var/lib/zabbix-home/.cache \
  google-chrome --headless --disable-gpu \
  --user-data-dir=/var/lib/zabbix-home/chrome-profile \
  --dump-dom https://FQDN_OF_ZABBIX_SERVER
```

If the configuration is correct, the command returns the HTML of the requested page.

If Chrome does not trust the certificate, the command returns a certificate error page containing messages such as `NET::ERR_CERT_AUTHORITY_INVALID`.

[comment]: # ({/a5271137-d13fee2a})

[comment]: # ({fe3c80b0-6ae2b3dd})
#### Troubleshooting

|Error|Possible cause|
|--|--------|
|`NET::ERR_CERT_AUTHORITY_INVALID`|The certificate was imported into the wrong user profile, the root certificate authority certificate is missing, or an intermediate certificate is missing.|
|`NET::ERR_CERT_COMMON_NAME_INVALID`|The certificate does not match the hostname used in the browser URL.|
|`NET::ERR_CERT_DATE_INVALID`|The certificate is expired, not yet valid, or the system clock is incorrect.|
|Chrome still shows a certificate warning after import|Chrome is using a different NSS database for the current user, or the certificate trust flags are incorrect.|

[comment]: # ({/fe3c80b0-6ae2b3dd})
