In case your Checkmk Server is using https, and you're using the agent bakery, your SSL Certificate will be expiring at some time. If the CA for the new certificate stays the same, this should be no problem for the agent bakery.
However, if the CA changes you would have to follow some extra steps.
Step-by-step guide
- Get new certificate
- Check if the certificate chain changed. If:
- yes: jump to step 3
- no: jump to step 4
- The chain changed
- add the new chain to the Agent Updater (do NOT replace the old chain!).
- bake and sign agents
- wait untill all agents updated
- jump so step 4
- The chain did not change or step 3 is done
- restrict Auto Updates to only 2 or 3 hosts, so if something goes wrong you do not mess up everything
- deploy the new certificate to the Apache server
- check for the correct cert and chain by using a browser
- make sure Auto Update works for the test hosts
- if the chain changed (see step 3) remove the old chain from the updater rule, bake & sign agents, and see if everything works with the test hosts
- remove the restriction to the test hosts and update all agents.
P.S. to step 3: As this article is written (v2.0.0p8), Checkmk cannot handle the chain correctly if it is contained in a single file. All certs (client, root, intermediate) need to be added separately.
If you have everyting in one .crt file this is quite easy: just upload the file & save, then copy the rule. Checkmk automatically converts the file to text, and now you can split the certificates at ther "BEGIN/END Certificate" sections.
When done, delete the initial rule.
Related articles