Werk #14607: cmk_update_agent: Fix fetching root certificates from server

Komponente Agent bakery
Titel cmk_update_agent: Fix fetching root certificates from server
Datum 05.08.2022
Checkmk-Editon Checkmk Enterprise (CEE)
Checkmk-Version 2.2.0i1 2.1.0p10 2.0.0p28
Level Kleine Änderung
Klasse Bugfix
Kompatibilität Inkompatibel - Manuelle Interaktion könnte erforderlich sein

This Werk is only incompatible for users that actually tried to use the broken trust-cert option of the agent updater.

This is a regression since Checkmk 2.0.

When invoking cmk-update-agent with --trust-cert or -t option, you can trust and save the root certificate needed for the HTTPS connection to the Checkmk server directly from the server's certificate chain (if it's stored there).

Previously, the fetched certificate got saved in a wrong format (python bytes instead of str), leading to a crash when the agent updater tries to import it in subsequent calls.

You can fix your broken installations by editing the host-local file /etc/cmk-update-agent.state or %ProgramData%\checkmk\agent\config\cmk-update-agent.state, respectively: Please remove all occurring b prefixes from the local_certificates entry. Alternatively, you can update the agent once manually by calling the agent updater with --insecure option. This will skip the certificate handling entirely; the updated agent updater can then fix the malformed values by itself.

Zur Liste aller Werks