CMK 2.1 Agent can't find Certificate

Hello,

I have a problem with enabling TLS in CheckMk 2.1. Hosts and CheckMK use a current Debian Bullseye and I use CheckMK Server and Client 2.1.0p16-1. I had to purge the client, reinstall and reboot the host to get the client to listen on port 6556. Now the service is active and listening. ss -tulpn | grep 6556
tcp LISTEN 0 4096 *:6556 : users:((“cmk-agent-ctl”,pid=425,fd=9))
On the server side everything seems to be okay, too:
AGENT_RECEIVER: on
AGENT_RECEIVER_PORT: 8000

Now I register on the host with the following parameters - but nothing happens, I am simply not shown the certificate. Is it possible that I have to create it before, manually?
cmk-agent-ctl register --hostname stefan.domain.info --server checkmk.domain.info --site firmenname --user automation --password ‘abc123’

Yours sincerely
Stefan

Hi Stefan,
what is the output you get when you run the register command?

Please use the preformatted text format for code for better readability. You can do that by highlighting the text, then pressing Ctrl+E.

Does the status flag show you anything?
Also do you have cleared the TLS Registration also in Setup (Hosts-> Remove TLS Registration) so that you are really starting over?

Hi,

I have cleared the TLS Registration as recommended and I have installed tcpdump and nmap on checkmk and on the test hosts to check basic connectivity. According to nmap, running on the host I wish to register port 8000 on checkmk is open and reachable. Also, if I run tcpdump 'tcp port 8000' on checkmk and attempt to register on a host there is immediately traffic from the host to checkmk. It’s all IPv6, but this shouldn’t be a problem, should it? All my hosts have a Dual-Stack IPv4+IPv6-Setup, including the checkmk-host.
Nonetheless I get an empty screen instead of the certificate I have to verify on all but one host! On all other hosts the cmk-agent-ctl-daemon fails and registration is not possible. I have purged checkmk, rebooted and reinstalled the agent on the one hosts but this is not a procedure I really want to do on all my hosts because even 60 seconds of downtime will require careful planning in advance, which will turn the mass registration of all my hosts into a nightmare. (It already is unpleasant because I can’t register with an ansible playbook and having to log in manually into all my hosts).

● cmk-agent-ctl-daemon.service - Checkmk agent controller daemon
     Loaded: loaded (/lib/systemd/system/cmk-agent-ctl-daemon.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2022-11-28 15:21:19 CET; 2min 20s ago
    Process: 1203996 ExecStart=/usr/bin/cmk-agent-ctl daemon (code=exited, status=1/FAILURE)
   Main PID: 1203996 (code=exited, status=1/FAILURE)
        CPU: 69ms

Nov 28 15:21:19 vm105 systemd[1]: cmk-agent-ctl-daemon.service: Scheduled restart job, restart counter is at 5.
Nov 28 15:21:19 vm105 systemd[1]: Stopped Checkmk agent controller daemon.
Nov 28 15:21:19 vm105 systemd[1]: cmk-agent-ctl-daemon.service: Start request repeated too quickly.
Nov 28 15:21:19 vm105 systemd[1]: cmk-agent-ctl-daemon.service: Failed with result 'exit-code'.
Nov 28 15:21:19 vm105 systemd[1]: Failed to start Checkmk agent controller daemon.

But even on the one host on which I am able to register “systemctl status cmk-agent-ctl-daemon” shows the following events.

Nov 28 15:15:54 vm182 cmk-agent-ctl[425]: WARN [cmk_agent_ctl::modes::pull] [::ffff:89.146.XXX.XXX]:45424: Request failed. (tls handshake eof)
Nov 28 15:16:54 vm182 cmk-agent-ctl[425]: WARN [cmk_agent_ctl::modes::pull] [::ffff:89.146.XXX.XXX]:50242: Request failed. (tls handshake eof)
Nov 28 15:17:55 vm182 cmk-agent-ctl[425]: WARN [cmk_agent_ctl::modes::pull] [::ffff:89.146.XXX.XXX]:49322: Request failed. (tls handshake eof)
Nov 28 15:18:55 vm182 cmk-agent-ctl[425]: WARN [cmk_agent_ctl::modes::pull] [::ffff:89.146.XXX.XXX:54858: Request failed. (tls handshake eof)
Nov 28 15:19:54 vm182 cmk-agent-ctl[425]: WARN [cmk_agent_ctl::modes::pull] [::ffff:89.146.XXX.XXX]:58716: Request failed. (tls handshake eof)

Any suggestions? EDIT: I just registered another host by purging checkmk and rebooting the host. Unfortunately I also get the tls handshake error and in the web interface I get the information that the host is not registered to use tls.

Do you mean you expect some kind of output from the registration? Well that command does not give you ANY output like “registration successful” - nada.

You can however run cmk-agent-ctl status to see the status…

Just found this in the WATO. In all cases I was provided a certificate upon registration which I confirmed with “Y”. So many error messages. I can’t help but wonder if this feature was released prematurely. It is a lot of change for a minor release in any case.

SERVER1 CRIT [agent] Host is registered for TLS but not using it**CRIT** , Got no information from host**CRIT** , execution time 0.2 sec
SERVER2 CRIT [agent] Agent controller not registered**CRIT**, Got no information from host**CRIT**, execution time 0.0 sec
SERVER3 CRIT [agent] Error establishing TLS connection**CRIT**, Got no information from host**CRIT**, execution time 0.0 sec