ID: 14965
Title: Dedicated CA for agent certificates
Component: Checks & agents
Level: 1
Class: Security fix
Version: 2.2.0b1
On agent registration, the contacted site issues an x509 certificate to the requesting agent controller.<br>
Previously, this agent certificate has been signed by the site-local CA, that's also used to issue certificates used for distributed monitoring, and to issue the agent receiver's certificate.
Starting with this Werk, each Checkmk site will use a dedicated agent CA to issue certificates to requesting agent controllers.
This change slighly improves security, as agent receiver and agent controller can't be authenticated with the same root certificate anymore, making it impossible to act as each other.<br>
While this situation has effectively been prevented before, this is now assured already on transport level, rather than on application level.
To prevent locking out registered agents, preexisting (Created with a Checkmk version prior to this Werk) Checkmk sites will still accept certificates issued by the site CA in parallel to the new agent CA.<br>
New sites will only accept certificates issued by the agent CA.<br>
This change is also loosely coupled with the new certificate lifetime mentioned in Werk #14964.<br>
Since active agent controllers will automatically renew their certificate to a new lifetime-limited one, this also means that they will migrate to new new CA automatically.
As an additional benefit, experienced users now can replace the agent signing CA with their own one. This has to be done directly at the site's home directory, though.<br>
The new agent CA is located at <tt>~/etc/ssl/agents/ca.pem</tt> and can be replaced with a new one in the same format.<br>
To migrate from one CA to another, it's also possible to add additional trusted root certificates to <tt>~/etc/ssl/agents/</tt>.
Even though this Werk is related to security, it does not fix any exploitable
issue.<br>
To aid automatic scanners, we assign a CVSS score of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
ID: 14964
Title: Agent controller certificate lifetime
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
The TLS encryption for agent communication (introduced with Checkmk 2.1) makes use of x509 Certificates to authenticate the agent against the Checkmk site.<br>
Therefore, the Checkmk site issues a certificate to the agent controller of a host on agent registration.
Previously, these certificates used to have a virtually unlimited expiration period.
Starting with this Werk, agent certificates will only be issued with a limited expiration period.<br>
This period is configurable with the global setting "Site management/Agent certificates" and defaults to 5 years.<br>
You can choose from various values, with a minumum of 3 months and a maximum of 50 years.
The agent controller will automatically renew the agent certificate in time before it expires, provided that it's running.<br>
The same holds true for legacy certificates with a too-long validity period.<br>
That said, inactive TLS agents (agent controller daemon(Linux)/Checkmk agent service(Windows) not running) will actually lose their registration on certificate expiration.<br>
To resume agent communication, you'll then have to re-register the agent.
ID: 15220
Title: time period: put endpoint now returns 200 with edited time period config
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0b1
The time period put endpoint previously returned a 204 and no
data response. This werk is a fix to return the time period
object along with a status code of 200 to align with our
other put endpoints.
ID: 15382
Title: service: remove non functioning endpoint example from swagger-ui
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
The "Try out" in Swagger-UI does not work for endpoint examples which make use
of the "query" query parameter. The change must be adapted on the Swagger side.
In the meantime, such endpoints will be removed to avoid any confusion and the user
should refer to the examples in the ReDoc instead.
ID: 15125
Title: Fix cleanup of PDF tmp files in ~/tmp/check_mk
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
Created PDF tmp files were not cleaned up in folder ~/tmp/check_mk.
Newly created PDF tmp files will be created in folder ~/tmp/check_mk/pdf and
the new cronjob "cleanup_pdf_tmp_files", running every day at
00:15, will cleanup PDF tmp files older one day in this folder.
ID: 15146
Title: azure_virtualmachines: Remove resource group from summary
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
Previously, the resource group was shown in a summary of a VM service if VMs
are maped to separate hosts (option 'Map data to the VM itself' in the agent config).
With the werk 15261, the cmk/azure/resource_group:<group> label was added
to all Azure hosts, which made this data redundant.
ID: 14794
Title: Enable using Rulesets for section plugins
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
This werk is relevant for you if:
<ul>
<li> you implemented a host label function that is configurable via WATO
<li> you do not have a discovery function that uses the same ruleset
</ul>
Previously, this was not possible. You may have encountered the following error:
C+:
Error running automation call restart (exit code 1), error:
Invalid configuration variable 'YOUR_RULESET'
--> Found 1 invalid variables
If you use own helper variables, please prefix them with _.
C-:
Anyway - this is fixed now.