Trusted CA certificates from global settings not replicated to remote sites

CMK version: 2.0.0p** (prod) and 2.1.0 (test)
OS version: Docker

Hi all

We are starting to set up distributed automatic agent updates. As the central site uses a certificate signed by an internal CA, we need remote sites to trust it. To achieve this, we added the root CA to Global settingsTrusted certificate authorities for SSL.

However, this does not work for us. The CA certificate configuration seems to not be replicated to remote sites:

  • ca_certificates.mk is missing entirely from etc/check_mk/multisite.d/wato
  • ca_certificates-sitespecific.mk does only contain the WATO header
  • checking in etc/ssl and var/ssl, the certificates are not present there

The CAs are only replicated to the remote site when explicitely configuring them per site in Distributed monitoring. This is not a configuration we plan to maintain, though :wink:

Do any of you run a similar configuration that works?
Are we missing/misunderstanding something?

Thank you and have a nice day

Quick update: I was able to test this using clean installations of checkmk and it seems as though this issue is only present on the managed services edition. Seems like we might have to open a support request :wink:

Edit: reading through the source code of CME, the file ca-certificates.mk is deliberately excluded during snapshot creation.