One client Agent output is encrypted but encryption is disabled after upgrade to 2.0.0p16

louis · December 1, 2021, 2:05pm

Hi,

Yesterday I upgraded the server and clients to version 2.0.0p16 CRE. All went wel except for one system. On this one I suddenly get this error:

agent] Agent output is encrypted but encryption is disabled by configurationCRIT, Got no information from host

Which is really strange, since I have no encryption configured whatsoever. If I run the agent on the system, there’s no issues, just the normal text output. Same when I use nc to connect to the client from the CheckMK server.

Just wondering what could be causing this issue and how to solve it.

Kind regards,
Louis

ChristianM · December 1, 2021, 2:09pm

Hi,
looks like a test system where encryption is set. There must be the file encryption.cfg in /etc which have the encryption key. You can remove this file and the communication will run unencrypted.

Cheers,
Christian

louis · December 1, 2021, 2:13pm

Hi,

Thanks, but I’m afraid there’s no such file. Just to be sure, I ran this command on the system:

root@digsvl001:/etc# find . -name encryption.cfg -print

That returns an empty output. And as I mentioned, it was working fine before; nothing changed but the agent version.

Regards,
Louis

robin.gierse · December 1, 2021, 3:16pm

What does the following command say?

cmk -vvd $HOST

louis · December 1, 2021, 3:21pm

That gives the following output:

OMD[digio]:~$ cmk -vvd digsvl001
Connecting via TCP to 172.25.100.91:6556 (10.0s timeout)
[TCPFetcher] Fetch with cache settings: DefaultAgentFileCache(base_path=PosixPath('/omd/sites/digio/tmp/check_mk/cache/digsvl001'), max_age=MaxAge(checking=0, discovery=120, inventory=120), disabled=False, use_outdated=False, simulation=False)
Not using cache (Too old. Age is 103583 sec, allowed is 0 sec)
[TCPFetcher] Execute data source
Reading data from agent
Output is encrypted
Closing TCP connection to 172.25.100.91:6556
ERROR [agent]: Agent output is encrypted but encryption is disabled by configuration(!!)
No piggyback files for 'digsvl001'. Skip processing.
No piggyback files for '172.25.100.91'. Skip processing.
[PiggybackFetcher] Fetch with cache settings: NoCache(base_path=PosixPath('/omd/sites/digio/tmp/check_mk/data_source_cache/piggyback/digsvl001'), max_age=MaxAge(checking=0, discovery=120, inventory=120), disabled=False, use_outdated=False, simulation=False)
[PiggybackFetcher] Execute data source
Loading autochecks from /omd/sites/digio/var/check_mk/autochecks/digsvl001.mk
No persisted sections loaded
No piggyback files for 'digsvl001'. Skip processing.
No piggyback files for '172.25.100.91'. Skip processing.

robin.gierse · December 1, 2021, 3:58pm

Maybe there are some weird characters in the output which make checkmk think the output is encrypted. Can you verify that locally on the monitored host?

louis · December 2, 2021, 7:56am

I found that there was indeed something strange. For some reason the directory MK_VARDIR (/var/lib/check_mk_agent) was not there. And in the 2.0.0p16 version of the agent this code is new:

# let RTCs know about this remote
[ -d "${MK_VARDIR}/rtc_remotes" ] || mkdir "${MK_VARDIR}/rtc_remotes"
[ -n "${REMOTE}" ] && touch "${MK_VARDIR}/rtc_remotes/${REMOTE}"

As the creation of these directories failed, indeed strange output was generated, resulting in the server believing the output was encrypted. After manually creating /var/lib/check_mk_agent the issue went away.

Thanks for the help.
Kind regards,
Louis

system · December 2, 2022, 7:57am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.