CheckMK Agent SSL Error

Parayia · May 2, 2025, 11:16am

CMK version: 2.3.0p30

Error message: Version: 2.3.0p30, OS: linux, Update error: HTTPSConnectionPool(host=‘monitoring.mydomain.eu’, port=443): Max retries exceeded with url: /mysite/check_mk/deploy_agent.py (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1076)’)))WARN , Last update: 2025-04-30 14:33:08, Agent plug-ins: 2, Local checks: 0

Hi everyone, i’ve recently migrated our site to a fresh Cluster.
After doing so, i changed the domain and entered a new SSL Cert into the Agent Updater rule. So far so good, now i’m getting a ton of SSL Errors from the Check_MK Agent like the one above.
Obviously every Host that we got is completely Stale right now and i don’t know where my mistake is since some of our Hosts connect just fine with the agent now.

edit
Maybe it’s the using the URL : “/mysite/check_mk/deploy_agent.py” instead of “monitoring.mydomain.eu/mysite/check_mk/deploy_agent.py” ?

andreas-doehler · May 2, 2025, 1:06pm

This is one of the hardest tasks if you use an agent updater.

Not so good. In case of changing certificates, you should first deploy the new root certificates (if the root is changed) with the agent. Only after all agents know the new root certificate i would change the certificate. But you also need in the meantime a mechanic where booth (old and new name) point to the same server.

In the end - now it is too late - you must correct the agent manually that don’t want to speak with your system. Easiest way is to redeploy the agent package now with the new agent updater to these systems.

Parayia · May 2, 2025, 1:19pm

Too bad i didn’t do that in the first place
Is there a way to deploy/reinstall the agent via WATO without installing the agent manually on every Host?

andreas-doehler · May 2, 2025, 1:38pm

I would say no. In such a case a would use the method that was used for the first deployment. Software management or Ansible or some Powershell script.

Parayia · May 2, 2025, 1:50pm

Was expecting that answer

So for future migrations:

rollout new Root cert and wait
rollout new client cert and wait
change agent updater url
happy migration?

andreas-doehler · May 2, 2025, 2:57pm

Number 2 is normally not needed. In my environments the updater knows only the root certificate that signed my server cert.
In best case and to have a smooth translation, your server should be reachable with new and old name for some time. Also it should provide on each name a valid certificate.
Then you have only the steps 1 + 3 and that is all.
After alle agents are updated to the new agent update url, you can remove the old name and vhost configuration.

Parayia · May 5, 2025, 6:29am

Sounds good. I’ll keep that in mind for our next, hopefully not so soon, migration.
Thank you!

system · May 5, 2026, 6:29am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.