Checkmk agent TLS registration

Checkmk Enterprise Edition 2.1.0p4
Debian 10

Error message:

I’m having an issue with registering the agent error (warning)

The hosts agent supports TLS, but it is not being used.
We strongly recommend to enable TLS by registering the host to the site (using the cmk-agent-ctl register command on the monitored host).
NOTE: A registered host will refuse all unencrypted connections. If the host is monitored by multiple sites, you must register to all of them. This can be problematic if you are monitoring the same host from a site running Checkmk version 2.0 or earlier.

If I try to register it with the command:

cmk-agent-ctl register --detect-proxy --hostname FOO --server --site FOO --user BAR --password FOO

I’m getting an error:

ERROR [cmk_agent_ctl] Connection refused (os error 111)

When I’m editing my host file with the IP of the server and URL it’s working

But the info is the same as my DNS server gives me (for example: without hostfile and with hostile

Port 8000 is open for any traffic internally

Anyone any suggestions?

Kind Regards,
Sander Böhm

Try adding the port 8000 to the server like this:

cmk-agent-ctl register --detect-proxy --hostname FOO --server --site FOO --user automation --password FOO

also, consider using the built in “automation” user and password, worked for me.

Thanks for your answer I already use the automation user and adding port 8000 doesn’t work

Found out, that it’s an issue in my network x)

I found a workaround of it, i’m now using the IP address of the server instead of hostname but that isn’t the solution yet…

I wish this type of “solution” would also come with “and HERE IS WHAT A FIXED in my network to make it work”.

Clearly, I have made the same error, yet there is no hint here as to where to start looking.

I forgot that I had several firewall rules between my vlans and on my server where I tested it. During the test I changed only the firewall on the server, but forgot to change the vlans acls as well.

Check this - if the ports are open to connect and if DNS name solution running as aspected

1 Like