Werk #14607: cmk_update_agent: Fix fetching root certificates from server

Component Agent bakery
Title cmk_update_agent: Fix fetching root certificates from server
Date Aug 5, 2022
Checkmk Editon Checkmk Enterprise (CEE)
Checkmk Version 2.2.0i1 2.1.0p10 2.0.0p28
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required

This Werk is only incompatible for users that actually tried to use the broken trust-cert option of the agent updater.

This is a regression since Checkmk 2.0.

When invoking cmk-update-agent with --trust-cert or -t option, you can trust and save the root certificate needed for the HTTPS connection to the Checkmk server directly from the server's certificate chain (if it's stored there).

Previously, the fetched certificate got saved in a wrong format (python bytes instead of str), leading to a crash when the agent updater tries to import it in subsequent calls.

You can fix your broken installations by editing the host-local file /etc/cmk-update-agent.state or %ProgramData%\checkmk\agent\config\cmk-update-agent.state, respectively: Please remove all occurring b prefixes from the local_certificates entry. Alternatively, you can update the agent once manually by calling the agent updater with --insecure option. This will skip the certificate handling entirely; the updated agent updater can then fix the malformed values by itself.

To the list of all Werks