Windows Agent TLS Register Error "...Wrong credentials (Bearer header)"

checkmkenjoyer · January 17, 2024, 10:31am

CMK version:check-mk-enterprise-2.2.0p18_0
OS version:Win 10: 21H2 (Client)

Error message:
ERROR [cmk_agent_ctl] src\main.rs:29: Error registering existing host at https://xxxxxx.xxxxx.xxx:8000/xx
Caused by:
** Request failed with code 401 Unauthorized: Unauthorized - Details: Wrong credentials (Bearer header)**

After the update from “check-mk-enterprise-2.2.0p17_0” to “…2.2.0p18_0” our Agent-Register-Process broke and we get the error seen above.
The host only has the typical “TLS is not activated on monitored host”-Error, all other Services are “OK”.
The credentials didnt change and we tested it with another account (with “Normal user login with password”), wich had the roles “Administrator” and “Agent registration user”. The outcome was the same.

The powershell we used on the client to register is found below:

$ComputerName = $env:COMPUTERNAME.ToUpper()
$cmdPath = "C:\Program Files (x86)\checkmk\service\cmk-agent-ctl.exe"
$cmdArgList = @(
"register", "--trust-cert",
"-s", "xxxxxx.xxxxx.xxx:8000/",
"-i", "xx",
"-H", "$($ComputerName)",
"-U", "xxxxxx",
"-P", "xxxxxx"
)
& $cmdPath $cmdArgList

chauhan_sudhir · January 17, 2024, 6:46pm

As a test, can you try with the automation user? The secret you can find here: ~/var/check_mk/web/automation/automation.secret

In the command line you normally don’t need to define the port in the -s. Just the IP or hostname is enough or did you chose to do that on purpose ?

Have you also tried it on a Linux host ?

checkmkenjoyer · January 18, 2024, 8:38am

hey, thank you for your quick answer!
i solved it yesterday short before i went home, so im gonna share my findings for you guys:

TLDR: create the following file with the cleartext-password of the default “automation”-User (even if u use another user in the agent-register script):
“/omd/sites/YOURSITE/var/check_mk/web/automation/automation.secret”

Detailed Version:
checkmk seems to use 2 checkMK-Users:

“automation”-User
the user you use in ur agent-register-script

and even if you dont knowingly use the automation-user, its pw is used in the file: “/omd/sites/YOURSITE/var/check_mk/web/automation/automation.secret”

so if u get the “Request failed with code 401 Unauthorized: Unauthorized - Details: Wrong credentials (Bearer header)”, it means u have the wrong pw in the mentioned file

and if u get the “Request failed with code 500 Internal Server Error: Internal Server Error” it means, that the file “/omd/sites/YOURSITE/var/check_mk/web/automation/automation.secret” is not even created.

i hope it helps someone else save some time.
Best Wishes!

polifilm · January 18, 2024, 9:09am

Thank you very much for the solution.
It took me 3 days of try and error and I had already given up.

ChristianM · January 19, 2024, 12:41pm

In my case, there is no Build-in-User “automation” defined in htpasswd which cause this error.
Workaround:

cmk-passwd automation
(simple password)
cmk-update-config
(skript will set the correct hash)

After that it’s working.

Bill · February 1, 2024, 12:43am

I’m having the same error as OP. I’ve verified that there was a password in the automation.secret file. I regenerated the automation user password and updated the automation.secret file to match. I continue to get the same result, whether I specify my normal agent registration user, or the automation user. I’m running the command as follows, from the Windows machine I’m trying to register:

.\cmk-agent-ctl.exe register -s xx.xx.xx.xxx -i XXXXXXXXXXX -H XXXXXXXXXXXXX -U automation -P xxxxxxxxxxxxxxxxxxx

I’ve also tried leaving off the password so that I get prompted to enter it interactively, with the same results.

This format has worked for me consistently, until I updated from 2.2.0p16 to 2.2.0p18.

Any help would be appreciated!