Dynamic host management not working on one site

db_ms · April 16, 2024, 10:06am

CMK version:Checkmk Enterprise Edition 2.2.0p23
OS version:Alma Linux 8.9

Error message: requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: http://localhost:5000/N/check_mk/api/1.0/domain-types/host_config/collections/all

Hi, on the production site with a long tradition (started with the community edition years ago) the dynamic host detection ist not working. On this site the automation user was missing, so I created a new one with an automaton secret and added the information in the general config. I created a rule in “Dynamic Host Management”. When executing the rule it stops with an error and it gets an authentication error:

11:34:17 ERROR An exception occured
Traceback (most recent call last):
  File "/omd/sites/N/lib/python3/cmk/cee/dcd/connectors/piggyback.py", line 234, in _execute_phase2
    cmk_hosts = self._web_api.get_all_hosts()
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/omd/sites/N/lib/python3/cmk/cee/dcd/web_api.py", line 245, in get_all_hosts    resp.raise_for_status()
  File "/omd/sites/N/lib/python3.11/site-packages/requests/models.py", line 1021, in raise_for_status     raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: http://localhost:5000/N/check_mk/api/1.0/domain-types/host_config/collections/all

However, when I create a new site on the same host with the same dynamic host management rule (except that this one is using the default “automation” user) everything works fine.

I tracked that down to a problem probably with the automation secret. If I give the user a password I can curl the URL. However when I create an automation secret and add it the the general config it is not working.

Any ideas? Maybe a way to recreate the default automation user?

Any help is appreceated.
Regards
Damian

aeckstein · April 17, 2024, 7:00am

Hi Damian,

i have two ideas:

Has the automation user assigned the Administrator role ?
Did you configure the automation user in the global settings “Connection to the REST API” ?

grafik

db_ms · April 17, 2024, 7:18am

Hi Andre,

Thanx for the reply. Yes, done both. I even tried using an automation secret for the user and assigning a password from the password store. Nothing works.
If I assign a password from the password store I can access the URL via curl on my check_mk-host, so obviously no FW in the way.
btw: if I choose “Use “Checkmk Automation” user”, the user named “automation” is used, right?

Damian

aeckstein · April 17, 2024, 7:35am

Hi Damian,

i assume that this is meant The default user for that in every new installation is called “automation”.
The automation user has to have a secret set, no password.

You can take a look at the dcd.log and web.log and trigger the dcd manually to create further logs.

aeckstein · April 17, 2024, 7:47am

Maybe you can just add another automation user (administrator), e.g. called dcd, with a secret set and use that for the dcd user setting in the global settings.