on the server yes could connect
What does command cmk-agent-ctl status say ? Guess it shows the certificate.
I had this same problem on one site only and despite a lot of effort could not make it working in TLS.
I had to revert to legacy mode (no TLS). Even that is not so simple. After making command cmk-agent-ctl delete-all it still does not show up in legacy mode. One has to manually add an empty file “allow-legacy-pull” to directory /var/lib/cmk-agent/. On top of that it’s a good idea to remove the TLS-registration in GUI from Setup->Hosts to get rid of that TLS warning.
I would also like to know how one ends in this situation that TLS registration goes fine, certificate looks good, one can execute the agent perfectly at the target, cmk-agent-ctl-daemon listens to 6556, all server ports are accessible from the target, but the server just cannot access it from GUI or cmk command line - time-out always and gives this frustrating os error 113. Not that i haven’t investigated/tested the scenario for weeks … 
My feeling is that something happened in the code between 2.1.0p16 and 2.1.0p25.
what i found is that one of the info given when debug
/var/lib/cmk-agent/cmk-agent-ctl.toml”’ I couldn’t find this file.
On check mk server cant use command cmk-agent-ctl, not sure this is normal
Could you guide me how to check for certificate on server?
here’s what i got from cmk-agent-ctl status
#cmk-agent-ctl status
Version: 2.1.0p25
Agent socket: operational
IP allowlist: any
Legacy mode: enabled
No connections
Seems you are geared up for legacy mode (assuming cmk-agent-ctl is already listening to port 6556).
Make sure you have file /var/lib/check_mk_agent/allow-legacy-pull existing in the target. It’s a 0-length file, so just ‘touch allow-legacy-pull’ will create it.
yes its listening to port 6556.
But how can i use TLS instead of legacy mode when i can’t register
Then prepare the proxy registration directly on the server, using localhost or 127.0.0.1 instead of the FQDN for the name of the Checkmk server.
the file is there when i cat got the below output
cat allow-legacy-pull
This file has been placed as a marker for cmk-agent-ctl
to allow unencrypted legacy agent pull mode.
It will be removed automatically on first successful agent registration.
You can remove it manually to disallow legacy mode, but note that
for regular operation you need to register the agent anyway.
i run as you suggested on the host got below error
cmk-agent-ctl proxy-register --hostname hostname --server localhost --site monitoring --user cmkadmin
INFO [cmk_agent_ctl] starting
INFO [cmk_agent_ctl] Loaded config from ‘“/var/lib/cmk-agent/cmk-agent-ctl.toml”’, legacy pull ‘LegacyPullMarker(“/var/lib/cmk-agent/allow-legacy-pull”)’ exists
DEBUG [reqwest::connect] starting new connection: https://localhost/
INFO [cmk_agent_ctl::site_spec] Failed to discover agent receiver port using https, trying http.
DEBUG [cmk_agent_ctl::site_spec] https error “Failed to discover agent receiver port from https://localhost/monitoring/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke\ninvalid digit found in string”
DEBUG [reqwest::connect] starting new connection: http://localhost/
INFO [cmk_agent_ctl::site_spec] Failed to discover agent receiver port using http.
DEBUG [cmk_agent_ctl::site_spec] http error “Failed to discover agent receiver port from http://localhost/monitoring/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke\ninvalid digit found in string”
ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https. Run with verbose output to see errors.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.