Werk #16127: agent-updater change behaviour of trust-cert option

Component Agent bakery
Title agent-updater change behaviour of trust-cert option
Date Sep 27, 2023
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

When registering the agent-updater and using the --trust-cert option the agent-updater used to traverse the certificate-chain and trust the first self-signed certificate in the chain which is usually a CA. Unfortunately this relied on the server to provide the full certificate chain. It is not uncommon to only provide the certificate and the corresponding intermediate CA certificate. In these scenarios the agent-updater failed to trust the certificate. Also the help text indicates that only the server certificate is trusted.

With this Werk the agent-updater retrieves the certificate of the server and trusts just that certificate.

Caution: If your registration workflow relies on an initial registration with --trust-cert option and you don't provide a certificate via another channel (see https://docs.checkmk.com/latest/en/agent_deployment.html#provide_certificates), you'll now lose trust when changing the Checkmk server's server certificate. If your workflow relies on the --trust-cert option, please make sure to provide a valid certificate via the agent updater ruleset or via global settings.

To the list of all Werks