Agent TLS certificate endpoint connection error, probably malformed certificate

kowalczyk-p · November 17, 2025, 10:38pm

CMK version: 2.4.0-2025.11.14
OS version: CMK Docker @ Ubuntu

Error message:

Just upgraded from version 2.1 and have a problem with communication from agent to cmk site on port 8000:

> cmk-agent-ctl status
WARN [rustls::conn] Sending fatal alert BadCertificate
Version: 2.2.0-2024.08.20
Agent socket: operational
IP allowlist: any


Connection: fqdn/cmk
        UUID: ec98772f-180e-454c-b412-9ddc905e8caf
        Local:
                Connection mode: pull-agent
                Connecting to receiver port: 8000
                Certificate issuer: Site 'cmk' agent signing CA
                Certificate validity: Sun, 16 Nov 2025 19:56:11 +0000 - Sat, 16 Nov 2030 19:56:11 +0000
        Remote:
                Error: error sending request for url (https://fqdn:8000/cmk/agent-receiver/registration_status_v2/ec98772f-180e-454c-b412-9ddc905e8caf): error trying to connect: invalid peer certificate contents: invalid peer certificate: MissingOrMalformedExtensions (!!)

With newer agent there are less details:

>  cmk-agent-ctl status
Version: 2.4.0-2025.11.14
Agent socket: operational
IP allowlist: any


Connection: fqdn/cmk
        UUID: ec98772f-180e-454c-b412-9ddc905e8caf
        Local:
                Connection mode: pull-agent
                Connecting to receiver port: 8000
                Certificate issuer: Site 'cmk' agent signing CA
                Certificate validity: Sun, 16 Nov 2025 19:56:11 +0000 - Sat, 16 Nov 2030 19:56:11 +0000
        Remote:
                Error: error sending request for url (https://fqdn:8000/cmk/agent-receiver/registration_status_v2/ec98772f-180e-454c-b412-9ddc905e8caf) (!!)

I managed to get some more details using:

> cmk-agent-ctl -vv renew-certificate ec98772f-180e-454c-b412-9ddc905e8caf
INFO [cmk_agent_ctl] starting
INFO [cmk_agent_ctl] Loaded config from '"/var/lib/cmk-agent/cmk-agent-ctl.toml"', connection registry from '"/var/lib/cmk-agent/registered_connections.json"'
DEBUG [reqwest::connect] starting new connection: https://fqdn:8000/
DEBUG [rustls::client::hs] No cached session for DnsName("fqdn")
DEBUG [rustls::client::hs] Not resuming any session
DEBUG [rustls::client::hs] Using ciphersuite TLS13_AES_256_GCM_SHA384
DEBUG [rustls::client::tls13] Not resuming
DEBUG [rustls::client::tls13] TLS1.3 encrypted extensions: []
DEBUG [rustls::client::hs] ALPN protocol is None
DEBUG [rustls::client::tls13] Got CertificateRequest CertificateRequestPayloadTls13 { context: , extensions: [SignatureAlgorithms([ECDSA_NISTP256_SHA256, ECDSA_NISTP384_SHA384, ECDSA_NISTP521_SHA512, ED25519, ED448, SignatureScheme(0x809), SignatureScheme(0x80a), SignatureScheme(0x80b), RSA_PSS_SHA256, RSA_PSS_SHA384, RSA_PSS_SHA512, RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA512, SignatureScheme(0x303), SignatureScheme(0x301)])] }
DEBUG [rustls::client::common] Attempting client auth
ERROR [cmk_agent_ctl] error sending request for url (https://fqdn:8000/cmk/agent-receiver/renew_certificate/ec98772f-180e-454c-b412-9ddc905e8caf)

Caused by:
    0: client error (Connect)
    1: invalid peer certificate: NotValidForName

I compared certificate on https://fqdn:8000 with another Check_mk instance and my certificate does not contain:

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:cmk
            X509v3 Basic Constraints: critical
                CA:FALSE

How can I fix this? Is there any way to regenerate this certificate?