Werk #14544: Agent controller: Use host certificate store during registration

Komponente Agent bakery
Titel Agent controller: Use host certificate store during registration
Datum 21.07.2022
Checkmk-Editon Checkmk Raw (CRE)
Checkmk-Version 2.2.0i1 2.1.0p9
Level Kleine Änderung
Klasse Bugfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen

In order to register at a Checkmk site, the agent controller (cmk-agent-ctl) needs to know, among others, the name of the server where the site is running and a port. The port can either be included in the server name argument (-s), or it can be left out. In case it is left out, the agent controller tries to query the port from the REST API of the target site.

In case the communication with the REST API is HTTPS-secured, the agent controller is supposed to use the certificate store of the host to verify the server certificate. This was however not the case, which in particular affected setups with server certificates signed by a custom CA (where the corresponding root certificate was correctly added to the certificate store of the host). The resulting error message read:

$ cmk-agent-ctl register ...
...
Failed to discover agent receiver port from Checkmk REST API, both with http and https.

...

Error with https:
...
invalid peer certificate contents: invalid peer certificate: UnknownIssuer

Note that, as mentioned above, this only happened if no explicit port was given during the agent registration.

Zur Liste aller Werks