In case your Checkmk Server is using https, and you're using the agent bakery, your SSL Certificate will be expired expiring at some time. If the CA for the new certificate stays the same, this should be no problem for the agent bakery.
However, if the CA changes you would have to follow some extra steps.
Step-by-step guide
- get Get new certificate
- check Check if the certificate chain changed. If:
- yes: jump to step 3
- no: jump to step 4
- the The chain changed
- add the new chain to the Agent Updater (do NOT replace the old chain!).
- bake and sign agents
- wait untill all agents updated
- jump so step 4
- the The chain did not change or step 3 is done
- restrict Auto Updates to only 2 or 3 hosts, so if something goes wrong you do not mess up everything
- deploy the new certificate to the Apache server
- check for the correct cert and chain by using a browser
- make sure Auto Update works for the test hosts
- if the chain chagned changed (see step 3) remove the old chain from the updater rule, bake & sign agents, and see if everything works with the test hosts
- remove the restriction to the test hosts and update all agents.
P.S. to step 3: As this article is written (v2.0.0p8), Checkmk cannot handle the chain correctly if it is contained i a single file. All certs (client, root, intermediate) need to be added separately.
If you have everyting in one .crt file this is quite easy: just upload the file, copy the rule. Checkmk automatically converts the file to text, and now you can split the certificates at ther "BEGIN/END Certificate" sections.
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...