Werk #19433: Fix spurious signing-key expiry mails from remote sites
| Component | Agent bakery | ||||||
| Title | Fix spurious signing-key expiry mails from remote sites | ||||||
| Date | Apr 29, 2026 | ||||||
| Level | Trivial Change | ||||||
| Class | Bug Fix | ||||||
| Compatibility | Compatible - no manual interaction needed | ||||||
| Checkmk versions & editions |
|
In a distributed monitoring setup, all configured users could receive warning emails (and corresponding GUI inbox messages) about an agent signature key being about to expire, even though the key had already been deleted on the central site. The mail subject was Checkmk: Agent Bakery signing keys expire soon.
The problem appeared specifically when the distributed setup contained remote sites that have no hosts assigned to them. Such sites do not generate pending changes during normal operation and are therefore not included in regular Activate Changes runs, which means files synchronised through that mechanism -- including the list of agent signature keys -- can stay out of date on them indefinitely.
This has been fixed.
Technical background
The daily cronjob that watches agent signature keys for upcoming
expiry was running on every site, including remote sites. On a remote
site with a stale copy of agent_signature_keys.mk the cronjob still
found the deleted key, computed a days until expiry value from its
certificate and, once that crossed the WARN or CRIT threshold, sent a
GUI message and an email to every user.
Agent signature keys are managed exclusively on the central site, so the cronjob now exits early on remote sites. Warnings are produced only on the central site, where the key store is authoritative. No configuration change is required.