Werk #14607: cmk_update_agent: Fix fetching root certificates from server
|Title||cmk_update_agent: Fix fetching root certificates from server|
|Date||Aug 5, 2022|
|Checkmk Editon||Checkmk Enterprise (CEE)|
|Checkmk Version||2.2.0i1 2.1.0p10 2.0.0p28|
|Compatibility||Incompatible - Manual interaction might be required|
This Werk is only incompatible for users that actually tried to use the broken trust-cert option of the agent updater.
This is a regression since Checkmk 2.0.
When invoking cmk-update-agent with --trust-cert or -t option, you can trust and save the root certificate needed for the HTTPS connection to the Checkmk server directly from the server's certificate chain (if it's stored there).
Previously, the fetched certificate got saved in a wrong format (python bytes instead of str), leading to a crash when the agent updater tries to import it in subsequent calls.
You can fix your broken installations by editing the host-local file /etc/cmk-update-agent.state or %ProgramData%\checkmk\agent\config\cmk-update-agent.state, respectively: Please remove all occurring b prefixes from the local_certificates entry. Alternatively, you can update the agent once manually by calling the agent updater with --insecure option. This will skip the certificate handling entirely; the updated agent updater can then fix the malformed values by itself.