CMK version: 2.0.0p15 (CEE)
OS version: Linux and Windows
Error message: No valid signature found
Hello,
We have setup agent updater in the agent for our servers, every time I bake and sign an agent he gets the warning message saying “no valid signature found” and doesn’t update.
When I install the agent manually on the server, it seems to work but after the update rule gets executed the error comes again
Hallo,
1)
double check if the taraget-system is in group whose agent is signed (yellow key)
2)
cmk-agent-register -vG may help
after updating bake a new client with a little change an try a normal update again.
Ralf
As addition to @rprengel’s remarks i have one other thing to check.
If the affected system was working before with the agent updater then it can also be that the signature was not written correctly after the last “bake agents”.
I had this problem from time to time. You only need to do the “sign agents” again.
In my systems i look for hosts with this error messages after updates of the CMK system and rebuilding the agents.
They are yes! every host seems to show this problem
we already register the host more than once and it works but when it automatically updates I get the not valid key
We tried that, it is the 3rd time we uninstall the agent, installed again with the agent baked and signed, but whenever the cmk updates all the systems dont read my key.
should the download and installed agent different from the target agent?
@rprengel
Oh yeah, it should because its not updating yeah
Hallo,
nope all 3 IDs should be the same if every thing works.
cmk-update-agent -h
may help to analyse what is going wrong.
General options:
-t, --trust-cert Trust the server’s TLS certificate on this connection
and save it to trusted certificates for further
connections.
-x, --insecure Disable TLS server certificate verification.
-v, --verbose Enable verbose output, twice for more details
-l LOGFILE, --logfile LOGFILE
Log to specified file. Logging data will be appended
and logfile will be rotated if file already exists.
-V, --version show program’s version number and exit
Update options:
-G, --skip-signatures
Skip validation of package signature
-r, --reinstall Also update if package seems up-to-date
-f, --force Do --skip-signatures and --reinstall
-u, --run-as-plugin Behave like if called as agent plugin
Hello,
Interesting topic. I am facing currently same issue in 11.6.0p27.
in the cmk-update-agent.log we see:
Exception: No valid signature found.
After running the updater plugin with option -rf a fresh agent is installed and all is OK again.
What is curious is that the signature in the cmk-update-agent.log is in all cases the same. It would be interesting with what or where the agent plugin compares the signatures. The signature cert I see in the conf file differs from the value in the log file.
I am about to open an official ticket as soon as I have enough information together. Waiting for some addition logs.
BR
Michael
Hallo,
here this seems to happen sometimes after backing two more agents rapidly (for example linux) including changes without an agent-update on the client.
Ralf
Hi Ralf,
You mean that the issue could happen if more than one baking process is started in parallel?
That would make sense in our case because since December we run a cronjob every 15 Minutes.
In our case I am the only one on this specific environment who bake agents but in a real scenario where more than one admin works on the system it is likely that the process is started in parallel. So basically a locking mechanism is missing here.
If you confirm that this is really the case I will ask in the ticket to verify this behavior.
Thanks
Michael
Hallo,
not parallel but fast behind another with max one or two minutes pause between the two tasks.
Only an idea but no facts here to prove it.
Ralf
I cannot confirm or deny the fast baking problem. On my systems i had this behavior from time to time at a normal agent baking process. After the bake was finished i signed all agents and one agent of all got no new signature and later then i got the error message with the valid signature problem.
Solution that helped most times on my systems was bake → sign → sign again and all was fine.
I think there is no real validation of the signature was really written 
This worked. Its a good workaround!
Hi!
We found a bug in the agent bakery that leads to invalid signatures. We fix it with Werk #14608, so stay tuned for Checkmk 2.1.0p10 - It will be released soon.
Also, there will be the possibility to activate logging for the agent bakery, see Werk #14606 - If signatures are still missing after the fix from Werk #14608, warning will be written to the logfile if the bakery failed to sign an agent.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.