Cant register Agent for TLS encryption unless "automation secret" is set for User "automation"

haanes · November 1, 2023, 3:54pm

Hi Everyone,
first time poster. I hope im doing everything right. Here i go:

Checkmk version: Checkmk Raw Edition 2.2.0p12

OS version of Checkmk server or monitored system:
Ubuntu 20.04.6 LTS on Checkmk server / Windwows 10 on monitored system

Description of the problem : I just set up a fresh checkmk raw on my system and wanted to test the monitoring on my Win10 host. I followed this guide: Monitoring Windows - The new agent for Windows in detail

Before registration, i set a random password for the user “automation”, wrote it down somewhere, and saved.
When i got to the registration of the agent, i encountered an error message.

Command :

"C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe" register -s <IP-Address> -i <sitename> -U automation -H <hostname>

Output:

Attempting to register at <IP-Address>, port 8000. Server certificate details:
PEM-encoded certificate:
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
Issued by:
       Site '<sitename>' local CA
Issued to:
      <sitename>
Validity:
       From Mon, 30 Oct 2023 13:56:24 +0000
       To   Wed, 30 Oct 3022 13:56:24 +0000

Do you want to establish this connection? [Y/n]
Y

Please enter password for 'automation'
[2023-11-01 15:57:49.552267 +01:00] ERROR [cmk_agent_ctl] src\main.rs:29: Error registering >existing host at https://<IP-Address>:8000/<sitename>

Caused by:
   Request failed with code 500 Internal Server Error: Internal Server Error

In the Forum, i found this as a fix: Permissions for automation user to run cmk-agent-ctl register?

That didnt work for me, unfortunately. Also, since the user “automation” seems to have the admin-role, that didnt make sense to me. I reverted all changes in permissions to default afterwards.

Registration with the user cmkadmin was also not possible.

Then, i looked around and checked the file /opt/omd/sites/sitename/var/log/agent-receiver/error.log. At the bottom, i saw this entry:

FileNotFoundError: [Errno 2] No such file or directory: '/omd/sites/sitename/var/check_mk/web/automation/automation.secret'

That gave me the idea to set the Authentication of the user automation to “Automation secret for machine accounts”. I set a random value there, saved, and attempted the registration with the user cmkadmin. That worked! I tested back and forth with this, but now im confused. I can use the user cmkadmin for agent registration, but only if the user automation has Authentication set to automation secret… Im not sure whether or not i caused this error in my configuration of checkmk, if i just lack understanding of how this works or if i encountered a bug. Im hoping to get a better understanding here. Any advice is appreciated.

Kind regards
Hannes

ChristianM · November 2, 2023, 1:24pm

Hi.
In normal cases the file automation.secret exist in the given path. Please make shure, that this file is stell there. This file contain the random created secret. It’s the same for all user.

Rg, Christian

haanes · November 2, 2023, 4:01pm

Hi Christian,
thank you for your reply!

As long as the authentication method for the user “automation” is set to “Automation secret for machine accounts”, this file exists. When authentication is set to Password, it does not.

It just dawned upon me that I was never supposed to fiddle with the user automation at all

By setting a password there, i essentially created this problem. Checkmk apparently needs this file if any user wants to register an Agent. Following my own logic, this might be a flaw in the documentation i read, since it uses the user automation with a password.

Kind regards
Hannes

r.sander · November 2, 2023, 4:32pm

The account “automation” has to be an automation account with an automation secret.
There are many internal Checkmk processes that use this account.

haanes · November 2, 2023, 7:36pm

A screenshot in the documentation shows an agent-registration using the user “automation” with a password. I assumed that setting a password for the user myself and using it in the same fashion was the correct way there. Does this mean the documentation is a bit misleading there or is the automation-secret used with the same parameter like this?

cmk-agent-ctl.exe register [...] --password "<automation-secret>"

andreas-doehler · November 3, 2023, 7:11am

Ok this is unlucky coincidence. The agent controller uses “–password” for users with password and also automation accounts with secret. Here you don’t have two options as with the agent updater.

yes

It is possible that with 2.3 the two registration processes are only one. We will see how the options are named there.