CheckMK RAW 2.3.0p30 - TLS not activated warning

BrianFL · April 22, 2025, 8:12pm

CMK version: RAW 2.3.0p30
OS version: RHEL 9

Error message: TLS not activated warning

I am getting this warning in CheckMK RAW edition.

According to this warning I should run “cmk-agent-ctl register”, but I have no luck with that.

Is there a way to resolve this?

Summary

Version: 2.3.0p30, OS: linux, TLS is not activated on monitored host (see details)WARN, Agent plug-ins: 0, Local checks: 0

Details:

Version: 2.3.0p30
OS: linux
The hosts agent supports TLS, but it is not being used.
We strongly recommend to enable TLS by registering the host to the site (using the cmk-agent-ctl register command on the monitored host).
NOTE: A registered host will refuse all unencrypted connections. If the host is monitored by multiple sites, you must register to all of them. This can be problematic if you are monitoring the same host from a site running Checkmk version 2.0 or earlier.
If you can not register the host, you can configure missing TLS to be OK in the setting “State in case of available but not enabled TLS” of the ruleset “Checkmk Agent installation auditing”.WARN
Agent plug-ins: 0
Local checks: 0

aeckstein · April 23, 2025, 5:40am

Hi Brian,

can you explain, what you tried and what the result was?

BrianFL · April 23, 2025, 11:59am

Hi Andre,

I have tried the following according instructions.
Usage: cmk-agent-ctl register --server <SERVER_SPEC> --site --user --hostname

cmk-agent-ctl register --server --site --user --hostname

And got this:

ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https. Run with verbose output to see errors.

briand · April 23, 2025, 1:02pm

Here are my personal notes on registering for both TLS and auto updater. I support CEE instances, so not sure how this may differ with Raw.

TLS:

Linux:
cmk-agent-ctl register --hostname mynewhost --server cmkserver --site mysite --user cmkadmin --password ‘test23’
Windows:
“C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe” register --hostname mynewhost --server cmkserver --site mysite --user automation --password “test23”

Agent auto update:

Linux:
cmk-update-agent register -s myserver.example.com -i mysite -H myhost -p https -U cmkadmin -P ‘test123’ -v
Windows:
“C:\Program Files (x86)\checkmk\service\check_mk_agent.exe” updater register

NOTE:
In a distributed env, the TLS must register to the site responsible for polling the host.
The agent updater plugin needs to register against the primary site

aeckstein · April 24, 2025, 9:31am

You can try to add the agent receiver port to the server like e.g. servername:8000

BrianFL · April 24, 2025, 12:46pm

Hi Andre,

How do I do that?

aeckstein · April 24, 2025, 12:48pm

You do the you already tried, but at the end of the checkmk server fqdn you add :8000

Wadim3364 · April 24, 2025, 1:47pm

Try this Powershell Script:

$hostname = hostname

Invoke-Command -ComputerName $hostname -ScriptBlock { & 'C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe' register --hostname $using:hostname --server YOURCHECKMKSERVER --site YOURSITE --user checkmk-register --password 'PASSWORD' }

echo "finished"

for --server use FQDN

I am using it on a SCCM Server so I can easily automate it

BrianFL · May 9, 2025, 12:00pm

Hi,

Sorry for the late reply.
Was caught up with some else.

Still no luck resolving this.

Failed to discover agent receiver port from Checkmk REST API, both with http and https.
How can I verify that the REST API agent receiver port is available or if the REST API is working or configured correctly?

Wadim3364 · May 12, 2025, 7:57am

You dont need to configure REST API. Do you have a distributed monitoring?

BrianFL · May 12, 2025, 11:45am

No distributed monitoring.

Why am I getting that error?

Wadim3364 · May 12, 2025, 1:16pm

In my case I dont need to type the port 8000. Can you try it aswell?

Wadim3364 · May 12, 2025, 1:26pm

Try this:

Create a new user inside CheckMK and name it like checkmk-register. Be sure that the “checkmk-register” user got enough permissions.

Open CMD as administrator and type this:

"C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe" register --hostname HOSTNAME --server FQDNOFCHECKMKSERVER --site SITENAME --user checkmk-register --password 'PASSWORD'

BrianFL · May 12, 2025, 2:51pm

Hi,

These are the only valid arguments:

C:\Program Files (x86)\checkmk\service>cmk-agent-ctl.exe register

error: the following required arguments were not provided:

–server <SERVER_SPEC>

–site

–user

–hostname

Usage: cmk-agent-ctl.exe register --server <SERVER_SPEC> --site --user --hostname

For more information, try ‘–help’.

BrianFL · May 12, 2025, 5:19pm

Reading the Warning message I noticed this.

from a security pov, would you recommend it?

Wadim3364 · May 13, 2025, 6:11am

TLS encryption is not mandatory.

Wadim3364 · May 13, 2025, 6:14am

Please show exactly what you typed into cmd. I double checked all and I already get the PEM encoded certificate in my prompt.

I think you did a mistate.

BrianFL · May 13, 2025, 12:31pm

Hi,

I am using arguments the command requires.

Usage: cmk-agent-ctl.exe register --server <SERVER_SPEC> --site --user --hostname

For more information, try ‘–help’.

This is what and how I entered:
cmk-agent-ctl.exe register --server SERVER-FQDN --site CMKSITE --user USERNAME --hostname HOSTNAME

Result:
[2025-05-13 09:26:50.169657 -03:00] ERROR [cmk_agent_ctl] src/main.rs:29: Failed to discover agent receiver port from Checkmk REST API, both with http and https. Run with verbose output to see errors.

BrianFL · May 13, 2025, 12:33pm

Is this also normal output?

cmk-agent-ctl.exe status

Version: 2.3.0p30
Agent socket: operational
IP allowlist: any
Legacy mode: enabled
No connections <<<<<<=================== is this normal?

Wadim3364 · May 13, 2025, 12:46pm

Why exactly didn’t you enter a password for the user?