...
Info |
---|
If your Checkmk Server is using httpsHTTPS, and you're using the Agent Bakery, your SSL Certificate will expire at some time. If the you need to be careful when exchanging the HTTPS certificate of your Checkmk server. If the root CA for the new certificate stays the same, this should be no problem for the Agent Bakery. |
Status |
---|
colour | Green |
---|
title | LAST TESTED ON CHECKMK 2.2.0P1 |
---|
|
However, if the CA changes, or if you change a standalone self-signed certificate, you must follow some extra steps. |
Status |
---|
colour | Blue |
---|
title | Applicable to all Checkmk versions |
---|
|
Panel |
---|
borderColor | black |
---|
bgColor | #f8f8f8 |
---|
title | Table of Contents |
---|
|
|
Getting Started
Background information regarding this subject is available on our:
Step-by-step guide
- Get new certificate
- Check if the certificate chain has changed. This means either your root certificate or an intermediate certificate have changed. If:
- Yes: Jump to step 3
- No: Jump to step 4
- The chain or the standalone self-signed certificate has changed:
- Add the new chain to the Agent Updater (do NOT replace the old chain!).
- Bake and sign agents.
- Wait until all agents have updatedJump . Make sure to verify this!
- Proceed to step 4.
- The chain did not change, or step 3 was donerestrict Auto Updates competed:
- Restrict agent updates to only 2 or 3 hosts, to double-check, so if something goes wrong, you do not mess up everythingdeploy everything works as expected.
Deploy the new certificate to the Apache server
check .
For Checkmk Appliances: Click on Device Settings → Web Access → Upload Certificate
Image Added
Image Added
Image Added
- Check for the correct cert and chain by using a browser.
- make Make sure Auto Update agent update works for the test hosts.
- if If the chain changed (see step 3), remove the old chain from the updater rule, bake & sign agents, and see if everything works with the test hosts.
- remove Remove the restriction to the test hosts and update all agents.
...
P.S. to step 3: As this article is written (v2.0.0p8), Checkmk cannot handle the chain correctly if it is contained in a single file. All certs (client, root, intermediate) must be added separately.
If you have everything in one .crt file, this is relatively easy: upload the file & save it, then copy the rule. Checkmk automatically converts the file to text, and now you can split the certificates at their "BEGIN/END Certificate" sections.
...
Verification
The following can help determine if the certificates of an agent match the certs of the Checkmk server.
Show the Certificate Authority, Issuers, and Subjects of the certificates that were installed with the agent package.
Code Block |
---|
|
root@mylinuxhost:~# echo "Agent updater certificate store:"
openssl crl2pkcs7 -nocrl -certfile <(cat /etc/check_mk/cmk-update-agent.cfg | egrep "\\n'" | cut -f2 -d":" | cut -f2 -d"'" | sed "s/\\\\n//g") | openssl pkcs7 -print_certs -text -noout | grep -e Subject: -e Issuer -e CA |
Show Issuer, Subject and Subject Alternative Names of the certificate of the server where the agent updater is registered to:
Code Block |
---|
|
root@mylinuxhost:~# s=$(cat /etc/check_mk/cmk-update-agent.cfg | grep "'server'" | cut -f4 -d"'")
echo "CMK Server HTTṔS Certificate for $s"
openssl s_client -connect $s:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -e Issuer: -e Subject: -e DNS: |
Related articles
Filter by label (Content by label) |
---|
showLabels | false |
---|
max | 5 |
---|
spaces | KB |
---|
showSpace | false |
---|
sort | modified |
---|
reverse | true |
---|
type | page |
---|
cql | label in ( "agent_bakery" , "https" ) and type = "page" and space = "KB" |
---|
labels | https agent_bakery |
---|
|
...