Certificate Error at Agent Registration

Hello everyone,

I wanted to set up the automatic updater agent, but for some reasons I get an certificiate error.
The Wildcard certificate is uploaded into the rule and detected.

Here is the following error when I try to register the agent with the command cmk-update-agent register -v :
HTTPSConnectionPool(host=‘guard.domain.de’, port=443): Max retries exceeded with url: /guard/check_mk/login.py (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)])”)))
See syslog or Logfile at /var/lib/check_mk_agent/cmk-update-agent.log for details.

The error from cmk-update-agent.log file:
During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “site-packages/requests/adapters.py”, line 449, in send
File “site-packages/urllib3/connectionpool.py”, line 725, in urlopen
File “site-packages/urllib3/util/retry.py”, line 439, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=‘guard.domain.de’, port=443): Max retries exceeded with url: /guard/check_mk/login.py (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)])”)))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “cmk_update_agent.py”, line 1889, in main
File “cmk_update_agent.py”, line 878, in run
File “cmk_update_agent.py”, line 1001, in _run_mode
File “cmk_update_agent.py”, line 1108, in _register_agent
File “cmk_update_agent.py”, line 323, in fetch_data_from_server
File “cmk_update_agent.py”, line 316, in fetch_data_from_server
File “cmk_update_agent.py”, line 331, in _do_request
File “cmk_update_agent.py”, line 384, in _login_site
File “site-packages/requests/sessions.py”, line 578, in post
File “site-packages/requests/sessions.py”, line 530, in request
File “site-packages/requests/sessions.py”, line 643, in send
File “site-packages/requests/adapters.py”, line 514, in send

Hello @SebastianBulearca

what type of system are you using, the checkmk virtual appliance or a linux installation ?
What did you upload in the agent updater rule ? it is importand that you enter the CA certificate that provides the certificates and not the certificate or key itself.

Besides the agent updater configuration, the webserver (apache) that is being used for checkmk needs to be configured correctly using TLS/SSL certificates :

So you either configure apache manually with your TLS/SSL certificates and the certificate chain or, if you are using the appliance, you can easily upload those within the webinterface.
After that you need to check if the certificates are being used correctly, e.g. with curl or openssl.
Chrome is the most picky browser for the time being so i usually test accessing the ssl secured websites with that.
If that works fine, you can try to reregister the host.

regards
Andre

I added the CA certificate and solved my issue.

Thanks.

1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.