Versions Compared

Version Old Version 29 New Version 30
Changes made by

Matthew Hierholzer

Robin Gierse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Some wording.

...

Info
If your Checkmk Server is using HTTPS, and you're using the Agent Bakery, your SSL Certificate will expire at some time. If the you need to be careful when exchanging the HTTPS certificate of your Checkmk server.
If the root CA for the new certificate stays the same, this should be no problem for the Agent Bakery. However, if the CA changes, or if you change a single standalone self-signed certificate, you must follow some extra steps.

...

Background information regarding this subject is available on our:

Step-by-step guide

...

  1. Get new certificate

  2. Check if the certificate chain has changed. If:This means either your root certificate or an intermediate certificate have changed.

    • Yes: Jump to step 3
    • No: Jump to step 4


  3. The chain or a single the standalone self-signed certificate has changed:
     
    1. Add the new chain to the Agent Updater (do NOT replace the old chain!). 

    2. Bake and sign agents.

    3. Wait until all agents have updated
      Jump . Make sure to verify this!

    4. Proceed to step 4.


  4. The chain did not change, or step 3 was donecompeted:

    1. Restrict Auto Updates agent updates to only 2 or 3 hosts, to double-check, so if something goes wrong, you do not mess up everythingeverything works as expected.

    2. Deploy the new certificate to the Apache server.

      For Checkmk Appliances: Click on Device Settings → Web Access → Upload Certificate

      screenshot showing the location of device settings

      screenshot showing the location of web access

      screenshot showing the location of upload certifcate

      Tip

      For more information about Appliances and SSL certificates, please refer to our Official Documentation..


    3. Check for the correct cert and chain by using a browser.

    4. Make sure Auto Update agent update works for the test hosts.

    5. If the chain changed (see step 3), remove the old chain from the updater rule, bake & sign agents, and see if everything works with the test hosts.

    6. Remove the restriction to the test hosts and update all agents.

Verification

The following can help determine if the certificates of an agent match the certs of the Checkmk server.

...