Checkmk warning about certification expiration

liliang · March 27, 2025, 2:00pm

Checkmk Enterprise Edition 2.3.0p22

The only certificate i so far have is the signed baked agents, how do i refresh them as currently the whole system is showing warnings ?

Time until updater certificate #0 (CN=‘signature’) will expire: 80 days 22 hours (warn/crit below 90 days 0 hours/never)WARN , Time until all updater certificates are expired: 80 days 22 hours (warn/crit below 90 days 0 hours/30 days 0 hours)WARN , Agent plug-ins: 7, Local checks: 0

elias.voelker · March 27, 2025, 5:37pm

Hi,

I think this article should be helpful (already linking to the right section): Automatic agent updates - Distribute agents and plug-ins automatically

In the end, you can of course

acknowledge the problem → removes it from the unhandled problems list
shorten the warning time frame (change the parameters for the service) → that makes the service OK again until the new threshold is reached

But in the end you need to refresh the certificate at some point to deal with the problem for good.

liliang · March 27, 2025, 6:02pm

Yeah I’m mainly confused as I haven’t yet setup any certs. (I’m guessing in the first post that signing the agent makes some kind of cert?)

And yeah I’m trying to figure out how to update the cert I’ve never made

I’ll have a look at your link

liliang · March 31, 2025, 11:48am

This article is about updating CA, but i haven’t myself made any CA yet ?
Only the baking signature that I believe it’s warning about ?

liliang · April 7, 2025, 9:37am

This is the issue I’m having, the warnings started shouting 90 days before it’s expiration and now everything is a mess in the generic alert view.

Can this signature key refresh be done better ? can i manually force the updates or should the warning be smaller when it’s actually a problem, i.e. the automatic refresh failed for some reason ?

MaPa · May 13, 2025, 5:01pm

I’d also be interested in the parameter or rule for shortening the time. It doesn’t exist!
The documentation says it’s a self-signed certificate from the agent controller that automatically renews shortly before expiration.
When before expiration? 90 days in advance would be good if the time period isn’t configurable.

gstolz · May 13, 2025, 7:27pm

This is a an issue that will hit many users.

Why?

Before Checkmk 2.2 the agent updater certificates that checkmk generated had a lifetime of >20 years.
Starting with 2.2 any newly created agent signature keys (or rather their certificates) have a lifetime of 2 years.
Checkmk 2.2 was released in May 2023, so new keys created will just now start to expire.

This will hit alot of installations and - as you have discovered - the alert is raised by every “Check_MK Agent” that uses that key. So if you have 1000 hosts, congratulations: you now have 1000 new alerts.

I have raised a support ticket and got confirmation that
a) this has started in 2.2
b) there is no werk for reduced lifetime, only for the fact that “Check_MK Agent” monitors that expiration, which previously you didn’t have to care about as it was 20 years in the future.
c) there is no config setting to change the lifetime of new certificates

While there are now soft plans to move the alert to another place where it doesn’t multiply by the number of hosts, for now you are stuck with that.

Solution at the moment:

Create a new signature key
Add the new key into the agent updater rules
baking & signing with the old key
Ensuring that all agents have been the updated
Removal of the old key from agent updater rules
baking & signing with the new key
Verification that all agents have run successfully again and installed the updated installer

If you want to get ahead of this - and I highly suggest you do:
check the long output of your “Check_MK Agent” services and replace the keys before they reach the threshold (90/30 days), so that no notifications are ever created for this.

MaPa · May 15, 2025, 1:55pm

Thanks. That worked exactly like that.
Best regards
Mario

gstolz · June 24, 2025, 1:45pm

see Werk #17102: Agent Signature Key Expiry and Notifications for the fix by Checkmk

Mathieu · July 2, 2025, 3:06pm

Hi,

I would like to inform you about the changes recently introduced for the agent signature keys in the Agent Bakery on Checkmk 2.2, 2.3 and 2.4.

In Checkmk 2.2.0, the agent signature keys in the Agent Bakery were inadvertently created with a shortened two-year lifetime. Since werk#15064, the imminent key expiry caused the Check_MK Agent service to go to a WARN/CRIT state, which could cause an overwhelming amount of email notifications for users with a large number of hosts.

To prevent an alert overload, the Check_MK Agent service will no longer switch to a WARN/CRIT state before expiry. Instead, the admins will now receive a GUI notification 90 days before expiry and the host contacts an email alert 20 days before. Additionally, the expiry dates are now visible in the Agent Bakery, and the newly created keys will have a 10-years lifetime.

For a more detailed description of the changes, as well as the recommended course of action, please check out the werk 17102.