Cloud Push agent behind a https reverse proxy

guenther · December 18, 2025, 11:52am

CMK version:

checkmk/check-mk-cloud:2.5.0-2025.07.22

OS version:

Ubuntu 24.04

Error message:

We have a corporate https reverse proxy where all communication must go through. Our checkmk-agents are operated as push agents for firewall reasons.

server → corporate-https-reverse-proxy → checkmk server

The corporate proxy terminates the https connection and then reverse-proxies it to the checkmk-server.

When I register a push agent, this is then the status:

sudo cmk-agent-ctl status
Version: 
Agent socket: operational
IP allowlist: any


Connection: ********/cmk
	UUID: *****
	Local:
		Connection mode: push-agent
		Connecting to receiver port: 443
		Certificate issuer: Site 'cmk' agent signing CA
		Certificate validity: Thu, 18 Dec 2025 11:06:52 +0000 - Wed, 18 Dec 2030 11:06:52 +0000
	Remote:
		Error: error sending request for url (https://****/cmk/agent-receiver/registration_status_v2/*****) (!!)

chauhan_sudhir · December 18, 2025, 12:51pm

Have you already tried this?

guenther · December 18, 2025, 1:04pm

No I haven’t but how I understood that option, this are two different things. That option says to consider variables like “HTTPS_PROXY” configured on the agent server. I don’t have a normal HTTPS proxy, but a reverse proxy in the middle which should be transparent to the agent.

Maybe I’m completely wrong here.

r.sander · December 18, 2025, 4:27pm

Then this transparent proxy will need configuration that allows the communication from the host to the checkmk server.

guenther · December 21, 2025, 5:39am

Correct. The reverse proxy knows when it is communicated with like checkmk.mycompany.com that it proxies the traffic to checkmk.something.internal

rtbiq · December 28, 2025, 8:31pm

Yeah it’s bad - checkmk stores credentials and trusted CA’s in a cleartext file pre_configured_connections.json. From my testing I could not find a way to make it work - sure you can replace the root CA in that file with that you use on the reverse proxy, but somewhere in that damn agent package the CA from the site is used and you cannot replace that and it’s likely updated anyway on next agent bake and even if it wasn’t you’d need some 3rd party tool to ensure your config would work etc.

[2025-12-28 21:21:49.432096 +01:00] ERROR [cmk_agent_ctl] cmk-agent-ctl\src\main.rs:35: Error querying registration progress at https://cmk-agent.domain.tld/sitename

Caused by:
0: Calling register_new_ongoing endpoint failed
1: error sending request for url (https://cmk-agent.domain.tld/sitename/agent-receiver/register_new_ongoing/6de90797-88af-4856-9a16-0d7fd0ed3805)
2: client error (Connect)
3: invalid peer certificate: UnknownIssuer

So someone from CheckMK should probably look into this - many use L7 instead of L4 for https traffic these days, in fact CheckMK is the ONLY service we’re forced to expose in this insecure manner.