hello,
We updated the slaves and agents to 2.0.0p34 and we still have the same problem with the certificate validation:
root@HOSTNAME:~$ cmk-update-agent -vv
Successfully read /etc/cmk-update-agent.state.
Successfully read /etc/check_mk/cmk-update-agent.cfg.
Updating the certificate store "/var/lib/check_mk_agent/cas/all_certs.pem"...
Updated the certificate store "/var/lib/check_mk_agent/cas/all_certs.pem" with 1 certificate(s)
+-------------------------------------------------------------------+
| |
| Checkmk Agent Updater v2.0.0p34 - Update |
| |
+-------------------------------------------------------------------+
Getting target agent configuration for host 'AGENTHOSTNAME' from deployment server
Fetching content (using requests): https://SLAVE/SITE/check_mk/deploy_agent.py
Failed to connect to agent bakery: HTTPSConnectionPool(host='SLAVE', port=443): Max retries exceeded with url: /SITE/check_mk/deploy_agent.py (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
Retrying with fallback URL: http://SLAVE/SITE/check_mk
Fetching content (using requests): http://SLAVE/SITE/check_mk/deploy_agent.py
Response without json Content-Type
**Unexpected answer from Checkmk server: Missing json data. Maybe we are talking to an agent bakery from before Checkmk 2.0 ?**
See syslog or Logfile at /var/lib/check_mk_agent/cmk-update-agent.log for details.
After the patch, we started to receive a new message (identified above in bold). I searched the forum for the problem and found a solution which was to remove the host in the check-mk console and uninstall and reinstall the agent. This procedure solved the problem for a while, but it reappeared when I ran cmk-update-agent -vv a second time.
Another thing I noticed was that even with a fresh install of the agent without certificate validation configured in the auto-update rule, cmk-update-agent would still fail due to certificate validation: