After update, "TLS is not activated on monitored host"

CMK version: 2.1.0p25.cee
OS version: CentOS 7

Error message: TLS is not activated on monitored host

situation before (server): 2.1.0p12
situation before (CentOS 7 agents): 2.0.0p28
situation now (server, agents): 2.1.0p25

After updating the checkmk server from 2.1.0p09 to 2.1.0p25 the agents updated successfully by themself. But - I see in the dashboard surprisingly for all these nodes the Warning: TLS is not activated on monitored host

image1432×351 37 KB

Why that?

I’ve seen now that a solution is to manually ssh into the node, and do again a cmk-agent-ctl register … the Warning disappears then.

And by the way, I don’t want to create the following rules as a workaround:

Setup > Services > Service monitoring rules > Applications, Processes & Services > Checkmk Agent installation auditing > Add Rule

[X]State in case of available but not enabled TLS == OK

• or

Setup > Agents > Windows, Linux, Solaris, AIX > Agent Rules > Access to agents > Checkmk agent > Encryption > Add Rule

Allow Non-TLS connections

Because: on these CentOS 7 nodes it’s an too old systemd running (v219), and TLS was not possible in the past.
But suddenly, the following cmd works and has to be executed (which I know only from systemd >v219 eg. Rocky Linux 8): cmk-agent-ctl register …

On the CentOS 7 nodes I merely did a: /usr/lib/check_mk_agent/plugins/3600/cmk-update-agent register … in the past.

I’m hoping for some feedback and possible reasonable explanation, thanks.

TLS encryption is a new feature in 2.1 agents. Your old agents were 2.0 and didn’t yet support TLS encryption (not to be confused with the old symmetric encryption with a shared secret).

As soon as an agent is capable of the new TLS encryption, checkmk warns, if it is not enabled. The register command cmk-agent-ctl register often gets confused with the Agent update registration cmk-agent-update register, but these are two different registration types: one for TLS encryption and one for registering automatic updates (Agent Bakery, cee).

Kind regards, Dirk.

thanks for your answer.

So you mean now the new updated agent on CentOS 7 is now capable of TLS encryption, which was not possible before? Because before, on CentOS 7 is was max possible to run v2.0.0p28 w/o TLS (as I said because of old systemd v219), and now it updated to v2.1.0p25 w/ TLS.

Correct?

Correct. If the server is 2.1, but the agent on a host 2.0 or older, there’s no TLS and no warning. If the agent is 2.1, it is capable of TLS and checkmk will warn about this by default, which, as you already noticed, can be deactivated in the rule “Checkmk Agent installation auditing”, if you don’t want or can use the TLS feature. (It requires https from agent to the server, which for raw edition without bakery normally is not needed plus the new port 8000 where the agent-receiver listens. And it requires the additional registration step, which in 2.1 still requires an account with full admin rights, which might be inconvenient for automation scripts with regards to sensitive clear text passwords in scripts.)

Kind regards, Dirk.

Hi!

As for the systemd 219/220 part:

With Checkmk 2.1.0, we started to support systemd only for versions equal or above 220, see Checkmk agent: do not support systemd versions prior to 220

Technically, the statements from Werk 13692 only hold true when deploying the agent with systemd, but without the agent controller.
This is because the agent controller handles the connection directly (without taking it over from systemd) and can pass some information to the agent script, that would otherwise only be available with systemd 220+.

Then, after we realized that RHEL/CentOS 7 only comes with systemd 219, we decided to handle the situation a bit less strictly and allow systemd 219 in combination with the agent controller.
See Agent controller: add support for systemd version 219

That’s why TLS now works with the 2.1.0p25 agent on CentOS7, while it was not available with the 2.1.0p12 agent on the same system.

Cheers
Andi

thanks again for the detailed informations.
With this, I managed now to get rid of the TLS warnings again on the CentOS 7 nodes.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.