Werk #14715: Agent controller: Do not verify TLS certificates by default when querying the agent receiver port from Checkmk REST API

Component Agent bakery
Title Agent controller: Do not verify TLS certificates by default when querying the agent receiver port from Checkmk REST API
Date Aug 10, 2022
Checkmk Editon Checkmk Raw (CRE)
Checkmk Version 2.2.0i1 2.1.0p10
Level Trivial Change
Class New Feature
Compatibility Compatible - no manual interaction needed

During registration, the agent controller (cmk-agent-ctl) queries the port on which the agent receiver is listening from the Checkmk REST API, unless the port has been explicitly provided on the command line. This query is attempted both with http and https. If both queries fail, the controller aborts, otherwise, the result of the first sucessful query is used.

Before this werk, when attempting with https, the controller verified the TLS server certificate presented by the Checkmk server. Hence, for the port query to succeed with https, the host system had to trust the Checkmk server certificate. If a custom certificate authority was used, the corresponding root certificate had to be added to the host's certificate store.

As of this werk, the controller by default no longer verifies the server certificate when querying the port with https. We do not consider this a security risk as this is just a query to identify the receiver port. The resulting port uses a Checkmk internal certificate authority anyway, which in turn is verified in any case. Furthermore, the verification can be re-enabled with the flag --validate-api-cert (passed to cmk-agent-ctl register ...).

Note that this change has no impact on the subsequent communication between the monitored host and the Checkmk server. After a successful registration, this communication will be TLS-encrypted, indepedently of whether --validate-api-cert was used or not.

To the list of all Werks