I am currently registring agents using cmk-agent-ctl register --trust-cert during automatic setup which blindly trusts the server certificate. Given that I know the servers certificate and its CA is there any way around this? If I leave out the --trust-cert option I am presented with a prompt wich breaks automation. Is there a well-known location where I could store the known certificate so the registration process can use it to verify the server’s certificate automatically?
1 Like
Hi @Birger ,
we discussed this with @mhoess today and I figured the cmk-agent-ctl is open source, so I checked the code where trust-cert is being used.
checkmk/packages/cmk-agent-ctl/src/modes/registration.rs at master · Checkmk/checkmk · GitHub ← to me that very much looks like the registration has just two options when checking the server cert, either
a) --trust-cert is provided and any cert is trusted blindly or
b) an interactive prompt asks the user to confirm.
@Maximilian from a security perspective, wouldn’t it be good/necessary to have a third option e.g. distributing the checkmk created CA (by GPO/other already trusted software distribution ways) and have cmk-agent-ctl use that? Currently, if I see that correctly I can only use full automation for tls registration if I blindly trust any presented cert, hence accepting that a MITM might be listening from the start?
1 Like
valid concern. I don’t fully remember our thoughts back then. I guess the least what we could do is to add some parameter so you could provide the fingerprint of the CA to trust.
Anyways I will discuss this with internally.
BR, Max
2 Likes
I guess the least what we could do is to add some parameter so you could provide the fingerprint of the CA to trust.
@Maximilian fingerprint or CA file or whatever can be used for automation while preserving the trust chain would be great.
2 Likes