Checkmk Agent installation error on Linux after update to 2.1

Troubleshooting
,
6

I found an old enabled rule “Checkmk agent network service (Linux)” → Don’t Install checkmk service.
After disabling it was possible to install the service.
Unfortunately I get an error while registering:

Do you want to establish this connection? [Y/n]
> y
ERROR [cmk_agent_ctl] Error pairing with SERVERNAME:8000/SITENAME

Caused by:
    Request failed with code 401 Unauthorized: You need to be authenticated to use the REST API.


omd config show | grep AGENT_RECEIVER

shows port 8000.

openssl s_client -connect cmkserver:8000

looks ok, too.
I was able to register windows clients.

Same question like here Registration to my checkmk server fails with 401 Unauthorized - Troubleshooting - Checkmk Community
and here CEE2.0.0p1 - Registering of Baked Agents fails - Troubleshooting - Checkmk Community

I tried to disable basic auth in /omd/sites/[SITE_NAME]/etc/apache/conf.d/auth.conf, but the error remains.

curl -v https://servername/site/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
*   Trying 192.168.119.1:443...
* Connected to servername (192.168.119.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

"Common problems regarding this request are:

  • The certificate used by the REST API is either self signed or signed by an internal CA."

Oh, I hate this certificate problems :frowning:
We are using a certificate signed by our internal CA.