Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

Agent controller - Connection refused

Problem

With Checkmk 2.1 we released the new agent controller with TLS connection. Detailed docs can be found here:

In this manual, we will show you how to debug the below error:


Please run the following commands to check the state of the agent controller and the port states:


For Linux

ss -tulpn | grep 6556

ps waux | grep cmk-agent-ctl

cmk-agent-ctl status

systemctl status check-mk-agent.socket
systemctl status cmk-agent-ctl-daemon.service


For Windows

netsh interface ipv4 show excludedportrange protocol=tcp

Solution

For Linux

If the registration is good, but cmk-agent-ctl cannot be started. This might be a bug.

You might then switch to xinetd mode:

apt install xinetd

Disable the systemd services:

systemctl stop check-mk-agent.socket
systemctl disable check-mk-agent.socket
systemctl stop cmk-agent-ctl-daemon.service
systemctl disable cmk-agent-ctl-daemon.service

Install the xinetd service:

/var/lib/cmk-agent/scripts/super-server/1_xinetd/setup deploy
/var/lib/cmk-agent/scripts/super-server/1_xinetd/setup trigger


Disable TLS registration on the CMK Server: Properties of host → menu → entry Host → Remove TLS registration

Afterwards ss should show xinetd claiming the connection 

ss -tulpn | grep 6556
systemctl status check-mk-agent.socket

Registration with cmk-agent-ctl is not working

Problem

After installing the agent, the registration is not working and showing the following issue:

Solution

Please check and verify that the agent controller is running:

ss -tulpn | grep 6556
 
ps waux | grep cmk-agent-ctl
 
cmk-agent-ctl status
 
systemctl status check-mk-agent.socket
systemctl status cmk-agent-ctl-daemon.service


In that case here, the agent controller is not running because xinetd is running. For the agent controller, systemd is necessary: https://checkmk.com/werk/13865

If you're using the bakery you need to create the following rule:


Without the bakery, please follow these steps: https://docs.checkmk.com/latest/en/agent_linux_legacy.html#_systemd


ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https.

Problem

Upon registering the agent controller for TLS, you encounter this problem:

root@<cmkserver>:~# cmk-agent-ctl register -H <host> -s <checkmk-server> -i <site> -U <username>
ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https.

Error with http:
Failed to discover agent receiver port from http://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
error sending request for url (http://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:

Error with https:
Failed to discover agent receiver port from https://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
error sending request for url (https://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:

Solution #1

Register the agent with the receiver port (by default 8000, counting up similar to site Apache 5000 → 5001 ...) like so: 

root@<cmkserver>:~# cmk-agent-ctl register -H <host> -s <checkmk-server> -i <site> -U <username> -p:8000

Solution #2

Add the self signed certificate to the OS's cert store. Example for Ubuntu:  https://ubuntu.com/server/docs/security-trust-store



  • No labels