Agent registration handshake failure

Troubleshooting
1

CMK version: 2.1.0p5 (Free) as Docker container
OS version: Ubuntu 22.04 / Windows 11

Error message:

ERROR [cmk_agent_ctl] the handshake failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:

Caused by:
    0: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
    1: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:

After updating to CheckMK 2.1 and rebuilding the agents I received this Check_MK Agent warning on an Ubuntu 22.04 host and a Windows 11 host:

The hosts agent supports TLS, but it is not being used.
We strongly recommend to enable TLS by registering the host to the site (using the `cmk-agent-ctl register` command on the monitored host).

When I tried to register using the given command the abovementioned error message appeared.
I can see that the agent attempts to register at port 8000. As I am running my CheckMK instance as a Docker container which sits behind an nginx reverse proxy for web-interface access, this cannot work.

2

Could you post the exact command line you used?

3

I just updated my initial post with some more information.

The exact command line is this:

cmk-agent-ctl register -v -H HOSTNAME -P 'PASSWORD' -s SUBDOMAIN.DOMAIN.TLD -i SITE-NAME -U USERNAME

This worked perfectly fine in CMK 2.0

4

CMK 2.0 did not yet use TLS, so port 8000 didn’t need to be exposed back then. In your case doing proxy registration on the CMK server itself and importing it on the host to be monitored might be the best way. (deep link)

5

Thats I good idea.

I just exposed port 8000 (to another port though), which also worked quite nicely.

Thank you very much nonetheless.

1 Like
6

I have the same error but in my case not exposed port is not the problem.
It seems like the agent-receiver doesn’t use TLS?

Does anyone have a clue what I have configured wrongly?

$ netstat -tulpn | grep 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      4532/python3

$ ps aux | grep 4532
xx 4532  0.0  0.0  39560 26564 ?        S    Sep24   0:14 python3 /omd/sites/mysite/bin/gunicorn -D -p /omd/sites/mysite/tmp/run/agent-receiver.pid --error-logfile /omd/sites/mysite/var/log/agent-receiver/error.log --access-logfile /omd/sites/mysite/var/log/agent-receiver/access.log --keyfile /omd/sites/mysite/etc/ssl/agent_receiver_cert.pem --certfile /omd/sites/mysite/etc/ssl/agent_receiver_cert.pem --ca-certs /omd/sites/mysite/etc/ssl/ca.pem --cert-reqs 1 -b 0.0.0.0:8000 -k agent_receiver.worker.ClientCertWorker agent_receiver.apps:main_app()

$ openssl s_client -connect localhost:8000 --showcerts
CONNECTED(00000003)
139630490178880:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Logs of the agent-receiver also don’t give many hints

[2022-09-25 11:36:29 +0200] [929748] [INFO] Starting gunicorn 20.1.0
[2022-09-25 11:36:29 +0200] [929748] [INFO] Listening at: https://0.0.0.0:8000 (929748)
[2022-09-25 11:36:29 +0200] [929748] [INFO] Using worker: agent_receiver.worker.ClientCertWorker
[2022-09-25 11:36:29 +0200] [929767] [INFO] Booting worker with pid: 929767
[2022-09-25 11:36:30 +0200] [929767] [INFO] Started server process [929767]
[2022-09-25 11:36:30 +0200] [929767] [INFO] Waiting for application startup.
[2022-09-25 11:36:30 +0200] [929767] [INFO] Application startup complete.

CMK version: 2.1.0p12
OS version: Ubuntu 20.04

Error message:

root@myserver:~# cmk-agent-ctl register --hostname myhostname --server myserver.com --site mysite --user myuser --password mypassword
Attempting to register at myserver.de:8000/mysite. Server certificate details:

ERROR [cmk_agent_ctl] the handshake failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:

Caused by:
    0: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
    1: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
7

Same issue here! Hopefully somebody has a solution.

8

Same problem here running checkmk in a docker container. I get complaints about each host I am monitoring having the same problem:

" Version: 2.1.0p18, OS: linux, TLS is not activated on monitored host (see details)WARN , Agent plugins: 0, Local checks: 0"

When I try and register it I get:

Attempting to register at 192.168.1.5:8080/cmk. Server certificate details:

ERROR [cmk_agent_ctl] the handshake failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:

Caused by:
0: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
1: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:

9

Try cmk-agent-ctl register --hostname localserver.com --server 192.168.1.5:8000 --site cmk --trust-cert --user automation --password ‘390facd5’