Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

Agent controller - Connection refused

Problem

With Checkmk 2.1 we released the new agent controller with TLS connection. Detailed docs can be found here:

In this manual, we will show you how to debug the below error:


Please run the following commands to check the state of the agent controller and the port states:


For Linux

ss -tulpn | grep 6556

ps waux | grep cmk-agent-ctl

cmk-agent-ctl status

systemctl status check-mk-agent.socket
systemctl status cmk-agent-ctl-daemon.service


For Windows

netsh interface ipv4 show excludedportrange protocol=tcp

Netstat for Windows (check the open/listening ports):

netstat -anb > output.txt

Solution

For Linux

If the registration is good, but cmk-agent-ctl cannot be started. This might be a bug.

You might then switch to xinetd mode:

apt install xinetd

Disable the systemd services:

systemctl stop check-mk-agent.socket
systemctl disable check-mk-agent.socket
systemctl stop cmk-agent-ctl-daemon.service
systemctl disable cmk-agent-ctl-daemon.service

Install the xinetd service:

/var/lib/cmk-agent/scripts/super-server/1_xinetd/setup deploy
/var/lib/cmk-agent/scripts/super-server/1_xinetd/setup trigger


Disable TLS registration on the CMK Server: Properties of host → menu → entry Host → Remove TLS registration

Afterwards ss should show xinetd claiming the connection 

ss -tulpn | grep 6556
systemctl status check-mk-agent.socket

Registration with cmk-agent-ctl is not working

Problem

After installing the agent, the registration is not working and showing the following issue:

Solution

Please check and verify that the agent controller is running:

ss -tulpn | grep 6556
 
ps waux | grep cmk-agent-ctl
 
cmk-agent-ctl status
 
systemctl status check-mk-agent.socket
systemctl status cmk-agent-ctl-daemon.service


In that case here, the agent controller is not running because xinetd is running. For the agent controller, systemd is necessary: https://checkmk.com/werk/13865

If you're using the bakery you need to create the following rule:


Without the bakery, please follow these steps: https://docs.checkmk.com/latest/en/agent_linux_legacy.html#_systemd


ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https.

Problem

Upon registering the agent controller for TLS, you encounter this problem:

root@<cmkserver>:~# cmk-agent-ctl register -H <host> -s <checkmk-server> -i <site> -U <username>
ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https.

Error with http:
Failed to discover agent receiver port from http://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
error sending request for url (http://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:

Error with https:
Failed to discover agent receiver port from https://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke
error sending request for url (https://<checkmk-server>/<site>/check_mk/api/1.0/domain-types/internal/actions/discover-receiver/invoke): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914: (unable to get local issuer certificate)
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1914:

Solution #1

Register the agent with the receiver port (by default 8000, counting up similar to site Apache 5000 → 5001 ...) like so: 

root@<cmkserver>:~# cmk-agent-ctl register -H <host> -s <checkmk-server> -i <site> -U <username> -p:8000

Solution #2

Add the self signed certificate to the OS's cert store. Example for Ubuntu:  https://ubuntu.com/server/docs/security-trust-store


ERROR [cmk_agent_ctl] Error while loading registered connections.

Detailed error message:

ERROR [cmk_agent_ctl] Error while loading registered connections.

Caused by:
    Failed to split into server and port at ':' at line 4 column 24


If you see this error message when trying to work with any subcommand of cmk-agent-ctl, there is probably something wrong in the file /var/lib/cmk-agent/registered_connections.json.

Solution

First move the file registered_connections.json to registered_connections.json.bak and re-run the command. If that works you can start checking the content of the file. If you still need the registration data stored in the file, check the line and column in the error message and try to repair it. If you don't need it anymore, simply delete the file.

Related articles



  • No labels