Command line check whether client is TLS registered

Hi.

Apologies if this has been asked on here before, but I’ve spent ages searching, googling and talking to ChatGPT but with no joy.

I’m using CheckMK on Debian Linux. Any idea whether it’s possible on the command line (ie will use in a script) to tell whether a client is TLS registered to a particular monitoring server?

I know I can automate the registration, but I only want to do that if the client isn’t already registered as it makes automated builds and updates much simpler.

Cheers,
Kingsley.

Hi Kingsley,

isn´t this what you are looking for: cmk-agent-ctl status ?
Otherwise you can check the file /var/lib/cmk-agent/registered_connections.json
Every registered tls registration is added there, I assume that file is either empty or nonexistend as long as the host is not registered.

Oh brilliant, thanks. That gets me most of the way there.

The only thing I now need to deal with is the case where a monitoring server has been replaced (with the same hostname and sitename), requiring all clients to re-register with the new one.

I’ve noted that /var/lib/cmk-agent/registered_connections.json contains a root_cert value for each site the client has registered with. On the monitoring servers I see that certificate is in the following files:

/omd/sites/SITENAME/var/ssl/remote_sites_cas/SITENAME.pem
/omd/sites/SITENAME/var/ssl/ca-certificates.crt
/omd/sites/SITENAME/etc/ssl/sites/SITENAME.pem
/omd/sites/SITENAME/etc/ssl/agent_receiver_cert.pem
/omd/sites/SITENAME/etc/ssl/ca.pem
/omd/sites/SITENAME/etc/check_mk/multisite.d/wato/ca-certificates.mk

Do you know which is the most appropriate one to check?

Cheers,
Kingsley.

As you are doing a tls registration, I think this certificate is bound to the agent reveiver service and should be the correct one.

Thanks.

I register the clients with this command:

cmk-agent-ctl register -H `hostname -f` -i <sitename> -s <monitoring-host> -U <admin-user> -P <admin-pass> --trust-cert

(username and password are fed in securely)

I’m using pull connections (according to /var/lib/cmk-agent/registered_connections.json)

TBH I don’t know whether it’s using TLS or SSL.

Cheers,
Kingsley.

yes that is correct and its TLS :slight_smile: