Update error: The agent updater is not registered at the deployment server

CMK version: 2.1.0p22
OS version: Windows Server 2019

After installing and registering the baked agent I run this to register the updater and get the following result:
“C:\Program Files (x86)\checkmk\service\check_mk_agent.exe” updater register -s FQDN-CheckMK-server -i Site -H FQDN-Host-Name -p https -U regagent -P password -v
Finalizing installation, please wait…C:\ProgramData\checkmk\agent\modules\python-3.venv\lib\site-packages\OpenSSL_util.py:6: UserWarning: You are using cryptography on a 32-bit Python on a 64-bit Windows Operating System. Cryptography will be significantly faster if you switch to using a 64-bit Python.
from cryptography.hazmat.bindings.openssl.binding import Binding
Going to register agent at deployment server
HTTPSConnectionPool(host=‘FQDN-CheckMK-server’, port=443): Max retries exceeded with url: /site/check_mk/login.py (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)’)))

Error message from the log file on the monitored host: requests.exceptions.SSLError: HTTPSConnectionPool(host=‘FQDN of my CheckMK server’, port=443): Max retries exceeded with url: /site/check_mk/deploy_agent.py (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)’)))

I get this no matter what i do, I have tried specifying a cert in the agent updater configuration, I am unclear on if the cert used would be the one that the web interface presents or the one that shows when i register the host, i tried both. I tried switching it to HTTP instead of HTTPS and that worked but i want to use HTTPS

I am setting this all up for the first time so I really don’t know much about it but I’ve looked at every setup guide I can find for doing the automatic updates of agents and as far as I can tell I’ve done what they say.

Hi,

first you need to make sure, that your checkmk frontend / OS Apache TLS configuration is correct and has the complete ca chain configured, if the certificate was signed by an intermediate CA.

After checking that, your agent updater rule must then include the root ca certificate of the certificate authority that created the TLS certificate of your checkmk server.
You have to bake that into the MSI you are installing on the host.

2 Likes

I’m using the appliance and I have added a certificate signed by our internal CA that the hosts recognize as valid, when I open the web interface from the hosts in a web browser it shows as secure with a valid certificate. Are the instructions in your link in addition to that? They seem to be the same thing just done on the command line instead of in the GUI on the appliance.

Hi,

you are right, in the appliance everything should be configurable with the Web Gui.
There is one problem that I had a few times, that you can check:
The uploaded root ca chain certificate seems to be cut after the first entry, so if you have a chain of more than one Certificate, check in /etc/ssl/localcerts if everything is as expected.

Can you show a redacted screenshot of the bakery row with the configuration you are using on that host?

I can’t seem to get to a command line, i’m still in the 30 day trial to see if we want to use the product. It appears that during the demo you can’t enable root access via ssh. Is there another way to check that file?

I switched the config for the agent updated to HTTP so I could test while I sort out HTTPS, I just tried making a different policy with HTTPS and assigned it to one host so I could send you a screenshot but it won’t bake a different set of agents with the second policy, can you only bake one updater config?

No, it’s not the cert it selves. Now I have never used the appliance but you need to have your cert chain (Public cert, NO private KEY!) in your rule.

There is another rule that “steals” all root certs and copies them into the site, that can be used for agent update rules as well. Perhaps that will work on the appliance.

You are right that the cert chain have to be the same as if you where accessing the web UI from a browser.

However Checkmk Agent Update registration is stupid and does not read from the windows cert store, so if you have a cert from, for example ADCS checkmk won’t care

No, you should be able to create separate rules.
Maybe your old first rule matches the Host first and the second rule is not being processed any more, try to change the order of the rules, the specific one on the top.
After changing the ruleset you have to bake the agents again to include your new configuration settings.

If you are just evaluating the feature you can try http, in general I can say that it works with TLS, as I have a lot customers using it this way.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.