How can I import a certificate into checkmk server (for monitoring ESX host)?

CMK version: 2.2.0p26.cee
OS version checkmk Server: CentOS 7

Error message: SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

I want to monitor ESX host(s).
So I started with th 1st ESX node, but get this error:

SAL@lnzcheckmk01:[~]\> ~/share/check_mk/agents/special/agent_vsphere --debug --user checkmk --secret ****** -D sallesxi01.research.silicon-austria.com | grep -A4 esx_vsphere_objects
...
requests.exceptions.SSLError: HTTPSConnectionPool(host='sallesxi01.research.silicon-austria.com', port=443): Max retries exceeded with url: /sdk (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

As far as I understand, I have two options now: disable SSL check or import the ESX host certificate.
I opted for option 2.

The found documentation is unclear.

What I did so far:

[root@lnzcheckmk01 ~]# cd /etc/pki/ca-trust/source/anchors/
[root@lnzcheckmk01 anchors]# openssl s_client -connect sallesxi01.research.silicon-austria.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > sallesxi01_host_cert_chain.pem
[root@lnzcheckmk01 anchors]# update-ca-trust
[root@lnzcheckmk01 anchors]# omd stop SAL
[root@lnzcheckmk01 anchors]# omd start SAL

did not help.

then I read about a 2nd directory to put the certificate into:

SAL@lnzcheckmk01:[/opt/omd/sites/SAL/local/share]\> mkdir ca-certificates
SAL@lnzcheckmk01:[/opt/omd/sites/SAL/local/share]\> cd ca-certificates/
SAL@lnzcheckmk01:[/opt/omd/sites/SAL/local/share/ca-certificates]\> openssl s_client -connect sallesxi01.research.silicon-austria.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > sallesxi01_host_cert_chain.pem
[root@lnzcheckmk01 anchors]# update-ca-trust
[root@lnzcheckmk01 anchors]# omd stop SAL
[root@lnzcheckmk01 anchors]# omd start SAL

still the same error.

So my question is: how do I correctly import the certificate, and where?

Thanks!

I’m not sure about cmk 2.2 (I still use 2.1) but have you tried Global settings → Site management → Trusted certificate authorities for SSL?
There you can import CAs either via copy&paste or upload from your local computer or download from an URL.

(Disclaimer: to be honest, everything that has to do with certificates is 98% trial and error (mostly error) to me.)

Hello Dirk, thanks for the tipp.

I added the ESX certificate into Global settings, by copy & paste of the PEM file:

image1011×126 5.4 KB

side note: when I try to “Fetch certificate from server:” I see “Found no CA”

restartet everything.
Maybe I’m one step further, but not finished yet.
I’m still getting the error.

For completeness -

I added a Host:

image680×598 27.3 KB

I created a new Rule:

image1020×516 26.6 KB

Run Service discovery:

image945×240 13.8 KB

Run Connection Test:

image972×631 45.7 KB

so data is collected “somehow” :

SAL@lnzcheckmk01:[~]\> cmk -d sallesxi01.research.silicon-austria.com
ERROR [special_vsphere]: Agent exited with code 1: HTTPSConnectionPool(host='10.141.11.100', port=443): Max retries exceeded with url: /sdk (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))
<<<esx_vsphere_counters:cached(1721649956,90):sep(124)>>>
datastore.datastoreReadIops|60dde6f3-007ed7cf-97f5-b8cef6791350|0#0#0|number
datastore.datastoreReadIops|71138437-d3e85d81|0#0#0|number
datastore.datastoreReadIops|e651dba2-3ec45c71|0#0#0|number
datastore.datastoreWriteIops|60dde6f3-007ed7cf-97f5-b8cef6791350|0#0#0|number
datastore.datastoreWriteIops|71138437-d3e85d81|0#0#0|number
datastore.datastoreWriteIops|e651dba2-3ec45c71|0#0#0|number
datastore.name|datastore-1030|ds_salvesxi02|string
datastore.name|datastore-107448|ds_salvadm01|string
datastore.name|datastore-107455|ds_salvadm03|string
...

but still this stupid certificate error.
I’m still looking into it

I managed now to do a ESX host monitoring by disabling the SSL check for the ESX host.

image581×525 63.1 KB

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.