Mk-update-agent certificate verify failed

hello,

im trying for the first time to implement the automatic agent updater… i allready did all steps i should.

image762×271 14.2 KB

so i baked the agent and install it on a host. but when i want to register the agent updater with the following command :

root@db01:~# cmk-update-agent register -s monitoring.domain.de -i checkmkmo -H db01 -p https -U cmkadmin -P **** -v

i got this response :

Updated the certificate store "/var/lib/check_mk_agent/cas/all_certs.pem" with 1 certificate(s)
Going to register agent at deployment server
HTTPSConnectionPool(host='monitoring.domain.de', port=443): Max retries exceeded with url: /checkmkmo/check_mk/login.py (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
See syslog or Logfile at /var/lib/check_mk_agent/cmk-update-agent.log for details.
root@db01:~#

image1413×41 4.3 KB

the communication to my site is secured with a certificate (https) and i added the same certificate when creating the agent updater

image710×82 2.54 KB

any idea why this is not working?

Is this only the certificate or the whole chain? A safe approach is to insert here the whole chain.

hello Andreas thank you for the Reply,

at first i tried only with our wildcard certificate and it showd me the Error i posted above.
and after trying the bundle certificate the command : cmk-update-agent register did work.

root@db01:~# cmk-update-agent register -s monitoring.domain.de -i checkmkmo -H db01 -p https -U cmkadmin -P **** -v
Updated the certificate store "/var/lib/check_mk_agent/cas/all_certs.pem" with 1 certificate(s)
Going to register agent at deployment server
Successfully registered agent of host "db01" for deployment.
You can now update your agent by running 'cmk-update-agent -v'
Saved your registration settings to /etc/cmk-update-agent.state.
root@db01:~#

and after trying running the agenter updater this error is shown.

root@db01:~# cmk-update-agent -v
Updated the certificate store "/var/lib/check_mk_agent/cas/all_certs.pem" with 1 certificate(s)

+-------------------------------------------------------------------+
|                                                                   |
|  Checkmk Agent Updater v2.1.0-2022.10.13 - Update                |
|                                                                   |
+-------------------------------------------------------------------+
Getting target agent configuration for host 'db01' from deployment server
HTTPSConnectionPool(host='192.168.192.168', port=443): Max retries exceeded with url: /checkmkmo/check_mk/deploy_agent.py (Caused by SSLError(SSLCertVerificationError("hostname '192.168.192.168' doesn't match either of '*.mydomain.de', 'mydomain.de'")))
See syslog or Logfile at /var/lib/check_mk_agent/cmk-update-agent.log for details.
root@db01:~#

Somewhere in your agent updater config you use the IP and not the host name.
The used IP is not included in your certificate and with this the error message is fine.

thank you very much for the advice.
i just changed the IP in the config file under /etc/check_mk/cmk-update-agent.cfg to the host name mycheckmk.domain.de and it works.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.