This article only applies to the CEE!
This article provides a workaround for a bug that is currently under review.
Modifying site specific global settings of the central site, can cause a dead Livestatus connection for the remote site.
If you run into this issue, please follow these points:
- Compare the "Trusted certificate authorities for SSL" inside global settings or the site specific global settings of the central site
let's start at the command line:
# Trusted certificate authorities for SSL - global settings
OMD[workshop]:~$ cat etc/check_mk/multisite.d/wato/ca-certificates.mk |wc -l
# Trusted certificate authorities for SSL - site specific global settings
OMD[workshop]:~$ cat etc/check_mk/multisite.d/wato/ca-certificates_sitespecific.mk|wc -l
Here we see, that there is a difference between both files. It looks like we have fewer certificates configured on the site specific global settings (central site)
let's check both setting on the GUI
Site specific global settings (central site)
- A recap: What do does this meansmean?
- This means, that Checkmk knows of two certificate stores. In this example, one stores two certificates (global settings) and the other one stores three certificates (site specific global settings of the central site)
- If you compare both screenshots, you will notice that the certificate of the site "ws5" is missing in the site specific global settings
- But only one of these two stores are used. Usually, the "Site specific global settings" are superseding the "Global settings". But if you add a certificate through the web interface, the precedence will change temporarily (and obscure the problem).
- Every time you change the certificates in the site specific global settings of the central site, the Livestatus connection will go to status "DEAD". At this point, Checkmk has trouble with the validation of the certificate stores
- What can you do to solve the problem?
- Decide a single store for all your certificates. Use the "Global settings" as long as there is no compelling reason, that you must use the "Site specific global settings".
- If you use, the "Global settings", you can use Checkmk without any restrictions.
- If you are forced to use the "Site specific global settings", you must not use the user interface button to add the certificate in the Certificate details, but instead copy and add any new certificate of remote instances manually to the "Site specific global settings" of your central instance.