$ cmk-update-agent register -s lnzcheckmk01.research.silicon-austria.com -i SAL -H salllgpuc05 -U cmkadmin -P '****’ -v -p https Updated the certificate store “/var/lib/check_mk_agent/cas/all_certs.pem” with 1 certificate(s) Going to register agent at deployment server HTTPSConnectionPool(host=‘lnzcheckmk01.research.silicon-austria.com’, port=443): Max retries exceeded with url: /SAL/check_mk/login.py (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)])”))) See syslog or Logfile at /var/lib/check_mk_agent/cmk-update-agent.log for details.
How can I get the ship running again?
I’m running out of ideas what to check and where.
First step - i would not use the full chain inside the deployed agent as this chain is only valid for a maximum of 90 days. Only use the root certificate.
This error message has nothing to do with the agent updater and the registration for updates. It shows the state of the agent communcation itself. Do you get data from the agents at the moment? If yes then only the transport security of the agent data is not configured to use TLS.
On the second screenshot it shows not the root cert. It is the intermediate.
First screenshot looks ok.
Third screenshot - fetch agent data ok without TLS and agent updater complains about certificate problem from webserver.
I would check on this machine what i see if i do a “openssl s_client -connect monitoringserver:443”
Verification error: unable to verify the first certificate
This is because I was running nginx only with the certificate, but not with the cert-chain (I have no error in the browser). Then I canged this on nginx, and ran the above cmd again → no error anymore
Now this worked with https:
$ cmk-update-agent register -s lnzcheckmk01.research.silicon-austria.com -i SAL -H hostname -s -U cmkadmin -P '**’ -v -p https Going to register agent at deployment server Successfully registered agent of host “salllgpuc05” for deployment. You can now update your agent by running ‘cmk-update-agent -v’ Saved your registration settings to /etc/cmk-update-agent.state.
then I did:
$ cmk-update-agent -v
±------------------------------------------------------------------+ | | | Checkmk Agent Updater v2.1.0p12 - Update | | | ±------------------------------------------------------------------+ Getting target agent configuration for host ‘salllgpuc05’ from deployment server Target state (from deployment server):
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.