Checkmk Werk 14715: Agent controller: Do not verify TLS certificates by default when querying the agent receiver port from Checkmk REST API

ID: 14715 Title: Agent controller: Do not verify TLS certificates by default when querying the agent receiver port from Checkmk REST API Component: agents Level: 1 Class: New feature Version: 2.2.0i1 During registration, the agent controller (<tt>cmk-agent-ctl</tt>) queries the port on which the agent receiver is listening from the Checkmk REST API, unless the port has been explicitly provided on the command line. This query is attempted both with <tt>http</tt> and <tt>https</tt>. If both queries fail, the controller aborts, otherwise, the result of the first sucessful query is used. Before this werk, when attempting with <tt>https</tt>, the controller verified the TLS server certificate presented by the Checkmk server. Hence, for the port query to succeed with <tt>https</tt>, the host system had to trust the Checkmk server certificate. If a custom certificate authority was used, the corresponding root certificate had to be added to the host's certificate store. As of this werk, the controller by default no longer verifies the server certificate when querying the port with <tt>https</tt>. We do not consider this a security risk as this is just a query to identify the receiver port. The resulting port uses a Checkmk internal certificate authority anyway, which in turn is verified in any case. Furthermore, the verification can be re-enabled with the flag <tt>--validate-api-cert</tt> (passed to <tt>cmk-agent-ctl register ...</tt>). Note that this change has no impact on the subsequent communication between the monitored host and the Checkmk server. After a successful registration, this communication will be TLS-encrypted, indepedently of whether <tt>--validate-api-cert</tt> was used or not.