BUG: Bake and sign agents does NOT sign agents

After creating new agents with “Bake & sign agents” all new agents report back as unsigned.
But creating new agents with “Bake agents” and then “Sign agents” works.

Version: CMK Enterprise 2.0.0p21

Does this happen every time, or did it only happen once?

As far as I tested it, every time.

Never heard of that behavior. You should check the logs or open a ticket.

Any ideas which logs to look at?
I could not find anything about agent baking in the “usual suspects”.

The only problem with “bake & sign” i had until now was that sometimes not all agent are get signed.
That’s why sometimes I make a “bake & sign” and after it completes a single “sign agent” to be save that all agents get a valid signature. I had no system like that from @msommer that no agent got signed.

As far as I know, when doing a bake(&sign) only agents that really need a re-bake (because of config/version changes) are actually re-baked and the others stay untouched.
So maybe in fact it does not work for you too, and “not all agents were signed” actually means none of the really “re-baked” agents were signed?

I can second Andreas’ observation. And I would say @msommer that even for actions where all agents are rebaked (i.e. after an update of checkmk) it only affects some agents, not all. I haven’t really seen a pattern yet, some instances are never affected, others more regularly, but no instance is affected at every baking process.

1 Like

For me it’s exactly the same thing. Sometimes it’s one or 2 agents and sometimes it’s like 5. Never really had more than that. We have ~150 baked agents in total.

1 Like

As at least some of you have a support contract, I suggest opening a ticket, so we can take a look at logs and so on together, rather than poking the haystack. :slight_smile:
You may request my name in the ticket.

Hi Robin,
I would open a ticket if this was reproducible… but I’ve seen it happen at customers once in a while, and then not for multiple weeks… plus the workaround is simply too simple for any single customer to be willing to invest time into troubleshooting this.

Absolutely understandable, no worries.
I have not seen this myself yet, hence the query to investigate more in depth.
But maybe someone else comes across this and is able to invest time into troubleshooting this.

Hi Robin,
it still seems to happen, but somehow less often… I haven’t seen it for a few weeks at our own and customer installations but maybe we just didn’t have as many changes and baking processes in the recent past. Problem: if I open a ticket now and then can’t reproduce it for weeks, the ticket will simply be closed and at the same time, once the problem occurs, customers sometimes want the changes rolled out quickly so we can’t leave dozens of agents unsigned. So is there information that you would recommend collecting in thsi case before we re-sign everything so the customer can proceed with normal agent-update operations?


(alternatively: a fix that simply does a quick verification after the signing process if really all agents have been signed would be appreciated as well :D)

Hi @gstolz,
at this point I got nothing, sorry.
We are looking at something internally, but at this point, without the possibility to reproduce this, our hands are kind of tied.

We found a bug in the agent bakery that leads to invalid signatures. We fix it with Werk #14608, so stay tuned for Checkmk 2.1.0p10 - It will be released soon.

The observed bug somehow doesn’t fit to the behavior reported by @msommer, but let’s see if this will be fixed.

Also, there will be the possibility to activate logging for the agent bakery, see Werk #14606 - If signatures are still missing after the fix from Werk #14608, the logfile may be worth a look, as a warning will be written if the bakery fails to sign an agent.

1 Like