Host is registered for TLS but not using it CRIT

jamal · April 16, 2024, 6:48am

CMK version: 2.1.0p40
OS version:Red Hat Enterprise Linux Server release 7.9

Error message:Host is registered for TLS but not using it CRIT, Got no information from host

Output of “cmk --debug -vvn hostname”: (If it is a problem with checks or plugins)

mschlenker · April 16, 2024, 6:50am

Please post the output of cmk-agent-ctl status.

jamal · April 16, 2024, 8:16am

Hello Mattias,

Thanks for the quick replay.
We upgraded check_mk from 2.0.0p34 to 2.1.0p40. We registered two hosts manually.

[root@dinoaccapp22 ~] cmk-agent-ctl register --hostname dinoaccapp22 --server gdnmonitor03:8000 --site pdc1 --user automation --password XXXXXXXXXXXXXX
[root@dinoaccapp22 ~]# cmk-agent-ctl status
Version: 2.1.0p40
Agent socket: operational
IP allowlist: any
Legacy mode: enabled
No connections

mschlenker · April 16, 2024, 8:39am

Registration failed, you are running in legacy mode, unencrypted. Please remove the registration server side and register again.

jamal · April 16, 2024, 9:18am

Hello,

How can we remove the registration sever side?
Please see below the “Connection refused” error. What could be the cause of this error?

[root@dinoaccapp22 ~]# curl -v --insecure https://gdnmonitor03/pdc1/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
* About to connect() to gdnmonitor03 port 443 (#0)
*   Trying 10.XX.XXX.XX...
* Connection refused
* Failed connect to gdnmonitor03:443; Connection refused
* Closing connection 0
curl: (7) Failed connect to gdnmonitor03:443; Connection refused

jamal · April 16, 2024, 10:52am

Hello,

I realize now that check_mk web server is running on port 80. I asked the Firewall administrator to open port 80 too. Please stand-by.

Port 80:
[root@dinoaccapp22 ~]# curl -v --insecure http://gdnmonitor03.gdnnet.lan/pdc1/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
* About to connect() to gdnmonitor03.gdnnet.lan port 80 (#0)
*   Trying 10.XX.XXX.XX...
* Connection timed out after 10001 milliseconds
* Closing connection 0
Warning: Transient problem: timeout Will retry in 1 seconds. 6 retries left.
* About to connect() to gdnmonitor03.gdnnet.lan port 80 (#1)
*   Trying 10.XX.XXX.XX...
^C

mschlenker · April 16, 2024, 11:34am

See here for troubleshooting if 80 or 443 is not reachable from the host (deeplink):

Also, you can do registration by proxy, if the server can reach the host, but not vice versa (deeplink):

jamal · April 18, 2024, 3:51pm

Hello,

We opened port 80 in the firewall and the subscription is now working. Solved.
many thanks for the support.