Checkmk Agent Not Listening on 6556 After Reinstalling Agent v2.1.0

mendikant · April 23, 2023, 1:18pm

Can confirm the bug in version 2.2.0b3-1
but the workaround mentioned by @jsmyth doesn’ work. I don’t have the file allow-legacy-pull on one of my working systems

mendikant · April 24, 2023, 7:38am

I had to rebuild my checkmk instance.

Annoying:

Registered agent:

Status checked. Still connected to the old instance.

cmk-agent-ctl status
WARN [rustls::conn] Sending fatal alert BadCertificate
Version: 2.2.0b2
Agent socket: operational
IP allowlist: any


Connection: watch.sec.httg/hlwatch
	UUID: 61e46165-97cd-4fef-b51e-c1cf79e6d785
	Local:
		Connection mode: pull-agent
		Connecting to receiver port: 8000
		Certificate issuer: Site 'hlwatch' agent signing CA
		Certificate validity: Thu, 20 Apr 2023 08:09:14 +0000 - Thu, 20 Apr 2028 08:09:14 +0000

Connection deleted.

 cmk-agent-ctl delete 61e46165-97cd-4fef-b51e-c1cf79e6d785
Deleted pull connection 'watch.sec.httg/hlwatch'
OK [hlsshD ~]# cmk-agent-ctl status
Version: 2.2.0b2
Agent socket: operational
IP allowlist: any
No connections

Port disabled. Why does this happen? Reinstallation does not help.

[hlsshD ~]# telnet 192.168.20.50 6556
Trying 192.168.20.50...
telnet: Unable to connect to remote host: Connection refused
Error [hlsshD ~]# ss -tulpn | grep 6556 
Error [hlsshD ~]#

i am not happy about this.

mschlenker · April 24, 2023, 8:12am

The allow-legacy-pull file enables the “old style unencrypted” transport, while missing “registered_connections.json” should mean no trust relation, no connection.

So to re-enable unencrypted communication you can touch the allow-legacy-pull file. I guess, we should document this.

mendikant · April 25, 2023, 4:48am

That worked. Thank you. Yes, you should document this more clearly.

i hope i can stay with checkmk. it seems to consume too many resources for me.

r3dspace · February 23, 2024, 5:38pm

I had the same issue with agent version 2.2.0p22. The fix of @neilyoung worked for me. I just had to reboot the system after I registered it.

lucabarelli · March 12, 2024, 12:22pm

TL;DR

use “cmk-agent-ctl delete-all --enable-insecure-connections -vv”

Hi, this problem made me scratching my head quite a bit.
Finally I’ve found the solution here: Agent controller: Add option to (re-)enable legacy pull mode

Well, you have to be creative to get it but in the werk says:
“The corresponding flag can be passed as an option to the delete-all subcommand.”

So I’ve triedcmk-agent-ctl delete-all --help and voilà!

“FLAGS:
–enable-insecure-connections Enable insecure connections (no TLS, agent output will be accessible via TCP”

Kinda tricky to find…