Agent install on RHEL 9 FIPS enabled work around

One of our clients needs FIPS enabled on their linux server. Checkmk agent won’t install on this without --nodigest --nofiledigest rpm options. Updater therefore presents same issue. Anybody know if one can hardcode the no digest options in the updater install script?

I think it would be a good feature (for the probable future instances of this) if the agent updater rule in WATO had this option built in.

Same problem here. Were you able to find a solution?

My colleague @bluetomb recently wrote a knowledge-base article on FIPS-enabling.

However, whether it covers the Updater, I am not sure (didn’t completely read it, much less understand it :wink: )

If it does, good for you.
If it doesn’t, good for Matt, as he can maybe do some investigating how to get that to work and possibly add it to the article :smiley:

The article also says to set --nofiledigest this works when installing manually but you can’t set this when automatically installing because you can’t edit the rpm installing command.

Edit: The article also states that it would work if the package is signed with sha256. Unfortunately checkmk only signs it with md5.

1 Like


While there is currently no workaround for the issue, we recognize the increasing significance of FIPS. As a result, we are actively exploring its integration into our product roadmap.



u can try this:

Make a copy of the update scripts.

omd su [sitename]
cp ~/share/check_mk/agents/plugins/ ~/local/share/check_mk/agents/plugins

open the script:

vi ~/local/share/check_mk/agents/plugins/

search for “def _install_agent_linux_rpm”

and change this line

self._invoke_unix_pkg_manager(["rpm", "-vU", "--oldpackage", "--replacepkgs", filename])


self._invoke_unix_pkg_manager(["rpm", "-vU", "--oldpackage", "--replacepkgs", "--nodigest", "--nofiledigest", filename])

delete the old agents in this directory:


Now u can bake new agents over WATO.

But this isnt something i prefer. There must be a better solution.

hi @becmat,

have you tried this change yourself? I rebaked my agents after making the changes you suggested and re-deployed the updater agent, but there was no change to the command-line arguments the updater uses while trying to update the agent.

I don’t know enough about how checkmk builds these agent packages for me to say why this isn’t working and am hoping someone around here could shed some light on this.

HI @bluetomb our clients are also running in FIPS mode.
Do you know maybe the status of this issue?

Many thanks in advance.


At this early stage of the project, we’re unable to provide a reliable timeline for achieving full FIPS support. Our initial focus is on assessing our current gaps and identifying areas requiring attention.

With the upcoming release of Checkmk 2.4.0, we aim to make significant strides towards full FIPS support. However, it’s possible that one additional version may be necessary to complete this task. Nonetheless, our goal is to furnish information on the current FIPS compliance status for each Checkmk installation.

To facilitate discussion and gather input, I’ve initiated a post on our Ideas Portal dedicated to this topic:

We encourage you to share your thoughts on what an ideal FIPS support implementation would entail.

Thank you!


Thanx for your reply @bluetomb for now we are working with a workaround in your anisble code like something below. Where we pure check the FIPS mode and based on that we implement your --nodigest --nofiledigest workaround.

But if the signing is different this would be absolete code.

- name: "{{ ansible_os_family }} Derivatives: Run fips-mode-setup --check"
  ansible.builtin.command: "fips-mode-setup --check"
  register: checkmk_agent_fips_mode
  changed_when: true
  failed_when: false

- name: "{{ ansible_os_family }} Derivatives: Install GENERIC or folder-specific {{ checkmk_agent_edition | upper }} Agent."
  become: true
  ansible.builtin.command: "rpm -ivh --nodigest --nofiledigest {{ checkmk_agent_agent.file.cee }}"
  when: |
    checkmk_agent_edition | lower != "cre"
    and not checkmk_agent_host_specific | bool
    and 'enabled' in checkmk_agent_fips_mode.stdout
  changed_when: true
  failed_when: false
    - install-package
    - skip-anible-lint

@mouwerkerk maybe you want to create a PR against the collection, so we can incorporate this (even if just for the time it works)? That way, everyone can profit and help improve it. :slight_smile: