Checkmk / checkmk-docs

Checkmk user manual
https://docs.checkmk.com
29 stars 130 forks source link

Described options for HTTPS-connection makes it impossible to use the newly enhanced agent #30

Closed markus-gitdev closed 2 years ago

markus-gitdev commented 2 years ago

I've set up my checkmk Raw for HTTPS as described in the docs long before upgrading to version 2.1.0 Raw and everything worked as expected.

After the upgrade to version 2.1.0 Raw, I now have the issue, that I'm not able to register a host as described in the docs to use the newly enhanced agent.

The error that shows up is the following:

cmk-agent-ctl register -H <hostname> -s <servername> -i <sitename> -U <username> -v
INFO [cmk_agent_ctl] starting
ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https.

Error with http:
Failed to discover agent receiver port from http://<servername>/<sitename>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
error sending request for url (http://<servername>/<sitename>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (self signed certificate)
error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (self signed certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (self signed certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:

Error with https:
Failed to discover agent receiver port from https://<servername>/<sitename>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
error sending request for url (https://<servername>/<sitename>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (self signed certificate)
error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (self signed certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (self signed certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:

I also tried it with the flag --trust-cert, which also doesn't work.

The interesting part is, that it works from the monitoring-server itself, but not for any other hosts.

If I disable the HTTPS redirect condition in 000-default.conf and restart the apache2-service, I can also register other hosts and not only the monitoring server itself. It also seems as it's not an SSL issue, since the attempt to register (with the disabled redirect) shows me the certificate of the monitoring server.

Could you please update this section, so HTTPS redirects are working and the use of the newly enhanced agent is also possible? Thank you and best regards!

mschlenker commented 2 years ago

Just a short answer here. If this does not provide the solution, please continue at https://forum.checkmk.com/

The first call is to detect the port of the agent receiver. Here the CMK server seems to use a certificate the client does not trust. You might just skip this call by appending the port (8000 for the first CMK site on a server) to the hostname of the CMK server. Then the agent receiver is directly addressed without doing the REST API call first.

We'll add this option to the troubleshooting section.

mschlenker commented 2 years ago

I've added a section describing how to specify the port via command line to skip the port discovery via Web API. Commit 1af0d428. Thanks for the hint.