CMK version:2.3.0p19
OS version:ubuntu server 22.04

Hi dear CheckMK Users,

is there a way to automatically add Livestatus TLS Encryption Certs to the Masters Cert-Store?

with Ansible the creation of a new Site is no problem but enabling the TLS Encryption needs a manual Task.

My Goal: With the Connection to a new Site via Ansible also enable Livestatus by trusting the Cert from the Remote Site, adding it to the Master Cert-Store.

What I found so far:
/opt/omd/sites/SITE/etc/check_mk/multisite.d/wato/ca-certificates.mk

Contains all Certs visible in the GUI Global Settings

/opt/omd/sites/SITE/var/ssl/remote_sites_cas/

Contains all Certs from the Remote Sites

Any Questions and Suggestions are welcome

Hi Noah, thank you for this interesting question. We also working on a solution for exact the same topic. We have around 300 remote sites which would mean 300 CA´s

The certs used for livestatus enc. for a site named ‘test’ are the following:

/omd/sites/test/etc/ssl/ca.pem
/omd/sites/test/etc/ssl/sites/test.pem

May also see:

What we are planning to do is to use the certs from master site and copy that over to each individual site. That way we have only one CA which is by default trusted because its on
master site.
We know its far from secure but the certs anyway have a live time of , I believe, 999 years or so.

I am curios to learn what your options are and what you decide.

thanks

Michael

Hi Mike,

currently I dont have other options.

There are still features requested by the community which are not covered by the REST-API yet, like: Customer creation, Global-Setting Management, Cert Management.

Hopefully these features come more soon than late, because these features would make it even more of a breeze to work with Ansible and CheckMK.

Hi @Noah !

Please consider adding your suggestion to the dedicated ideas portal, so it could reach the decision-makers: https://ideas.checkmk.com/