Checkmk agent registration fails when executed remotely

mm1 · June 1, 2022, 10:47am

CMK version:2.1.0
OS Version: Appliance 1.5.1

i’m trying to automate the process of registering our updated windows hosts to thee monitoring for tls encryption. when i executing the command remotely via powershell i’m getting the error:

[2022-06-01 12:14:30.888993 +02:00] ERROR [cmk_agent_ctl] src\main.rs:29: Error loading client certificate
    + CategoryInfo          : NotSpecified: ([2022-06-01 12:...ent certificate:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

when executing the same script locally on the server it’s working fine.

my script:

$computerName = 'HOSTNAME'

Enter-PSSession -ComputerName $computerName 
   
    $hostname = $(($env:Computername).ToUpper())
    $user = "agent-registration"
    $secret = "XXXXX"
    $server = "192.168.21.251"
    $site = "lg"

    $arguments = "register", "--trust-cert", "-H$hostname", "-s$server", "-i$site", "-U$user", "-P$secret"
    & "C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe" $arguments

has anybody encountered a similar problem, or an easier idea on how to automate this task?

Greetings
Moritz

bkuhn · September 15, 2022, 7:52am

Hi Moritz,

We’re running into the same Problem when trying to register the Windows Agent using Ansible (winrm/ PowerShell).

It looks like it is currently not possible to register the agents automatically, since the certificate store is remote not available.

Since you build PS manually, maybe you can build a workaround using this information: Adding a Certificate to a Store Using PowerShell -- Microsoft Certified Professional Magazine Online?

In total, a fix in the Agent would be nice to simplify the registration workflow.

bkuhn · November 22, 2022, 11:00am

Solution for Ansible:

Using win_shell instead of win_command.

bkuhn · November 23, 2022, 4:05pm

Sadly, win_shell is not the entire solution.

After we thought it worked, we hit another Problem. A Microsoft Expert tried to fix it and figured out the following:

The Remote Registration only works, if the User had before an Interactive Login. So, the moment you delete the User Profile, the same Error appears. Login with the User and run command (remote) again, It works,

So, no real solution yet, maybe the Problem can be resolved in Checkmk by using the Local Certificate Store:

But that’s just my Idea. Since the Problems seam to be that the one for the user can’t be created.
Also, it would mean (I guess for all) that when the User (profile) of the Registration Users is removed, the Agent will stop working. (In the test, when removing the profile, the agent_ctl.exe status also shows the same error after).

system · November 23, 2023, 4:05pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.