Hi @JoaoCampos !
It’s hard to tell without some further knowledge about your setup.
As it’s working with openssl/curl, there seems to be a root certificate available on the system that can be used to verify the certificate chain of the Checkmk server.
It’s hard to tell where exactly it comes from.
However, the certificate rolled out by the agent updater ruleset seems to be insufficient.
You can analyze this by having a look at the server’s certificate chain. You already entered the right command with openssl s_client -connect SLAVE01:443
The interesting part here is the certificate chain, that comes right after the listing that you posted.
Now, this chain has to match the certificate rolled out with the agent updater rule.
Assuming that the certificate is available as file certificate.pem, please
- have a look at it with
openssl x509 -in certificate.pem -text
The most interesting parts here areIssuerandSubject.
They should be the same, i.e., it should be a root certificate.
And this issuer/subject should match one subject (s:) of one entry of the server’s certificate chain.
(In many cases the last one) - test if this certificate can verify the chain:
openssl s_client -connect SLAVE01:443 -CAfile certificate.pem