I updated from 2.0 to 2.1p12 and I’m not able to get the Linux checkmk agent working. I downloaded the deb file from our bakery and installed it as usual. The service doesn’t start. the cmk-agent-ctl command is unknown. What could be the problem? I tested different Debian systems and also tried apt purge before the install.
Error message:
sudo dpkg -i check-mk-agent_2.1.0p12-c544c2ad9e346d1a_all.deb
Vormals nicht ausgewähltes Paket check-mk-agent wird gewählt.
(Lese Datenbank ... 137263 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von check-mk-agent_2.1.0p12-c544c2ad9e346d1a_all.deb ...
Entpacken von check-mk-agent (2.1.0p12-1.c544c2ad9e346d1a) ...
check-mk-agent (2.1.0p12-1.c544c2ad9e346d1a) wird eingerichtet ...
Reloading xinetd
Deactivating systemd unit 'cmk-agent-ctl-daemon.service' (if active)...
Deactivating systemd unit 'check-mk-agent.socket' (if active)...
Deactivating systemd unit 'check-mk-agent-async.service' (if active)...
Deactivating systemd unit 'cmk-update-agent.timer' (if active)...
The agent control use the port 8000 for communication. If you use the bakery, the agent was baked with enabled cmk-agent-ctl. Now you need to register the agnet for TLS handshake.
If you want to use the agent in legacy mode, you need to disable cmk-agent-ctl in bakery rules.
but for this I need the command cmk-agent-ctl register, and that is unkown?
I can’t see this output mentioned in the installation guide:
Deploying systemd units: check-mk-agent.socket check-mk-agent-async.service cmk-agent-ctl-daemon.service check-mk-agent@.service
Deployed systemd
Creating/updating cmk-agent user account ...
WARNING: The agent controller is operating in an insecure mode! To secure the connection run cmk-agent-ctl register.
Reloading xinetd
Activating systemd unit 'check-mk-agent.socket'...
Created symlink /etc/systemd/system/sockets.target.wants/check-mk-agent.socket → /lib/systemd/system/check-mk-agent.socket.
Activating systemd unit 'check-mk-agent-async.service'...
Created symlink /etc/systemd/system/multi-user.target.wants/check-mk-agent-async.service → /lib/systemd/system/check-mk-agent-async.service.
Activating systemd unit 'cmk-agent-ctl-daemon.service'...
Created symlink /etc/systemd/system/multi-user.target.wants/cmk-agent-ctl-daemon.service → /lib/systemd/system/cmk-agent-ctl-daemon.service.
I found an old enabled rule “Checkmk agent network service (Linux)” → Don’t Install checkmk service.
After disabling it was possible to install the service.
Unfortunately I get an error while registering:
Do you want to establish this connection? [Y/n]
> y
ERROR [cmk_agent_ctl] Error pairing with SERVERNAME:8000/SITENAME
Caused by:
Request failed with code 401 Unauthorized: You need to be authenticated to use the REST API.
omd config show | grep AGENT_RECEIVER
shows port 8000.
openssl s_client -connect cmkserver:8000
looks ok, too.
I was able to register windows clients.
I tried to disable basic auth in /omd/sites/[SITE_NAME]/etc/apache/conf.d/auth.conf, but the error remains.
curl -v https://servername/site/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
* Trying 192.168.119.1:443...
* Connected to servername (192.168.119.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
"Common problems regarding this request are:
The certificate used by the REST API is either self signed or signed by an internal CA."
Oh, I hate this certificate problems
We are using a certificate signed by our internal CA.
I updated the trust store with the root CA and now curl is working without failures.
But I still get the error
Do you want to establish this connection? [Y/n]
> y
ERROR [cmk_agent_ctl] Error pairing with SERVERNAME:8000/SITENAME
Caused by:
Request failed with code 401 Unauthorized: You need to be authenticated to use the REST API.
Ok I got it. I have to use an automation user with a secret. Now everything is working.
To sum up:
I disabled an old rule “Don’t install checkmk service”.
I updated the trust store with our CA cert.
I used the automation user for registration.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
