Werk #14607: cmk_update_agent: Fix fetching root certificates from server
| Komponente | Agent bakery |
| Titel | cmk_update_agent: Fix fetching root certificates from server |
| Datum | 05.08.2022 |
| Checkmk Edition | Checkmk Enterprise (CEE) |
| Checkmk-Version | 2.0.0p28 2.1.0p10 2.2.0b1 |
| Level | Kleine Änderung |
| Klasse | Bugfix |
| Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein |
This Werk is only incompatible for users that actually tried to use the broken trust-cert option of the agent updater.
This is a regression since Checkmk 2.0.
When invoking cmk-update-agent with --trust-cert or -t option, you can trust and save the root certificate needed for the HTTPS connection to the Checkmk server directly from the server's certificate chain (if it's stored there).
Previously, the fetched certificate got saved in a wrong format (python bytes instead of str), leading to a crash when the agent updater tries to import it in subsequent calls.
You can fix your broken installations by editing the host-local file /etc/cmk-update-agent.state or %ProgramData%\checkmk\agent\config\cmk-update-agent.state, respectively: Please remove all occurring b prefixes from the local_certificates entry. Alternatively, you can update the agent once manually by calling the agent updater with --insecure option. This will skip the certificate handling entirely; the updated agent updater can then fix the malformed values by itself.
