One of our team wants to monitor their 3par in checkmk, so we have setup their 3 par in checkmk , the issue is I have deactivated the SSL certificate verification in the configuration, but they want to activate it. As soon as we activate the SSL, the agent fails to install and get the below error:
The team has given me a pem file of 3 par to add in our checkmk as they want the SSL verification to work…is it ok to add this file in our checkmk and where do I need to add this file in checkmk configuration?
Please guide me!!
you can either add trusted SSL/TLS certifcates in checkmks global settings in “Trusted certificate authorities for SSL”, or you can add the certificate to your operating system certificate store and activate “Use system wide CAs”.
Thank you for the quick response, have added their certificate to checkmk global settings " Trusted certificate Authorities for SSL" and Use systemwide CAs as “on”.
Again on doing the connection test got this error, it seems their certificate is not signed by CA authority and so we are getting this error …have asked the team to get a valid certificate. I think my perception towards this error is correct? please advice…
Short answer - No. The error messages states that you hostname inside the certificate differs from the hostname you use inside CMK.
As all the relevant parts are blue, i cannot say what is the best solution.
Easy solution would be - CMK hostname = Cert hostname.
Thank you for the quick response.
In our checkmk we have registered the host with hostname only, we didnt give the IP address.
But in the Error,
Error: HTTPSConnectionPool(host=‘xx.xx.xx.xx’, port=8080): Max retries exceeded with url: /api/v1/credentials (Caused by SSLError(SSLCertVerificationError(“hostname 'xx.xx.xx.xx doesn’t match ‘abc’”)))
I feel HTTPSConnectionPool is taking IP address in host rather than the hostname, somewhere need to check on HTTPSConnectionPool as so why it’s taking IP address rather than hostname.
If you use CMK 2.1 and only define a hostname for this device then the special agent will use the hostname. If you also define an IP the special agent prefers the IP.
Absolutely, we have only given the hostname and not the IP address, Ipaddress column is empty…
But still getting this error.
Insert the FQDN inside the IP address field then the special agent must use the name.
Hats off to you @andreas-doehler , you are genius with great experience!!!
This small trick of inserting the name in the IP address worked.
Thank you so much , we can close this discussion happily.