Skip to main content

hello

I’ve tried the latest version of the cma, 24.10.3 and .4

in both case on windows 11 and 2025 I get an application crash when the service is starting

 

here is the event log (windows application, event ID 1000)

Faulting application name: centagent.exe, version: 24.10.4.0, time stamp: 0x679a3975
Faulting module name: centagent.exe, version: 24.10.4.0, time stamp: 0x679a3975
Exception code: 0xc0000409
Fault offset: 0x000000000080fe9d
Faulting process id: 0x4DC
Faulting application start time: 0x1DB86B66FEFF8EC
Faulting application path: C:\Program Files\Centreon\CentreonMonitoringAgent\centagent.exe
Faulting module path: C:\Program Files\Centreon\CentreonMonitoringAgent\centagent.exe
Report Id: 8cf0e8d6-1a8b-43c9-96db-728efb38750a
Faulting package full name: 
Faulting package-relative application ID: 

 

 

I don’t have a windows 2019/2022 on hand to test. the windows 2025 is a fresh install without anything installed on it, out of the box and january patches

on the same machines (win11 and 2025) the version 24.10.0 is working and the service is running fine

 

no log in the cma.log in trace except it starts, here is the full log :

p2025-02-24 04:20:05.909] 0centreon-monitoring-agent] ninfo] tmain_win.cc:207] centreon-monitoring-agent start
t2025-02-24 04:20:05.909] 0centreon-monitoring-agent] ndebug] ]grpc_client.cc:51] client this=0x1beffcf9df0 activate compression deflate
l2025-02-24 04:20:05.909] 0centreon-monitoring-agent] ninfo] tgrpc_client.cc:78] unencrypted connection to centreon:4317
42025-02-24 04:20:05.928] 0centreon-monitoring-agent] ninfo] tscheduler.cc:177] schedule 0 checks to execute in 1s
n2025-02-24 04:20:05.928] 0centreon-monitoring-agent] ndebug] ]bireactor.cc:52] create client this=0x1beffd35f50 peer:centreon:4317

I tried with and without encryption in the agent configuration

 

when configuring the agent with “poller iniated connection” the service is running without crash, and with or without encryption the agent log says ‘unencrypted”

e2025-02-24 05:38:53.080] 0centreon-monitoring-agent] ninfo] omain_win.cc:207] centreon-monitoring-agent start
n2025-02-24 05:38:53.081] 0centreon-monitoring-agent] ninfo] ostreaming_server.cc:146] create grpc server listening on 0.0.0.0:4317
n2025-02-24 05:38:53.081] 0centreon-monitoring-agent] ninfo] ogrpc_server.cc:60] unencrypted server listening on 0.0.0.0:4317
n2025-02-24 05:38:53.084] 0centreon-monitoring-agent] ndebug] rgrpc_server.cc:80] server default compression deflate
e2025-02-24 05:40:11.920] 0centreon-monitoring-agent] ninfo] omain_win.cc:334] SvcCtrlHandler 4


 

also, on the server side, the otl_server.json has alway the encryption value set to true, with or without certificate setup in the webui for the 

for example here : 

{
    "otel_server": {
        "host": "0.0.0.0",
        "port": 4317,
        "encryption": true,
        "public_cert": "/etc/pki/cma.crt",
        "private_key": "/etc/pki/cma.key",
        "ca_certificate": "/etc/pki/cma.crt"
    },
    "centreon_agent": {
        "check_interval": 60,
        "export_period": 60,
        "reverse_connections": "
            {
                "host": "192.168.10.17",
                "port": 4317,
                "encryption": true,
                "ca_certificate": "",
                "ca_name": null
            }
        ]
    }
}

 

 

the only way I could make it work : 
setup the agent with poller iniated connexion and no encryption

configure the server with a certificate (as you can’t validate the wizard without a valid certificate in the /etc/pki folder)

configure the agent with poller initiated connexion

push the configuration

edit the otl_server file

remove the 3 lines “encryption, ca_certificate, ca_name” from the reverse connections 

{
    "otel_server": {
        "host": "0.0.0.0",
        "port": 4317,
        "encryption": true,
        "public_cert": "/etc/pki/cma.crt",
        "private_key": "/etc/pki/cma.key",
        "ca_certificate": ""
    },
    "centreon_agent": {
        "check_interval": 60,
        "export_period": 60,
        "reverse_connections": /
            {
                "host": "192.168.10.17",
                "port": 4317
            }
        ]
    }
}

restart the service centengine.

Hello,

First, thank you for your detailed feedback. The encryption issue was fixed two weeks ago on development branch. You can find latest version I have compiled this morning here: centreon-monitoring-agent.exe . I will try to reproduce your agent crash and to fix it asap.

Regards

hello

with that new agent, I don’t have the error and the service is running correctly when running without “poller iniated connection”, it seems to work now

so : “client connect to poller without encryption” : ok

if checking encryption, i’m having some issues , but I probably did not create the certificate correctly, i’ll try other method 

the error I got was : “ossl_transport_security.cc:1659] Handshake failed with fatal error SSL_ERROR_SSL: error:0A00010B:SSL routines::wrong version number” 

but I made a selfsigned without ca, probably not ok, i’ll try with a ca file

I think I may need to recheck the documentation, I don’t really understand what/when using the encryption

in the case "client connect to poller” the poller has a certificate, apparently directly in the /etc/pki folder (ca cert, server cert, and keys)

in this case, does the client need checkbox “encryption”?

the cma log on the client says :

so I’m a bit confused and it’s not really clear 

is this encryption both way? (with a cert on the client and the server)

 

on the other case, “poller connect to client”, the client act as a server as it listen on port 4317, there you need a certificat to ensure encryption, I don’t really know how to create a valid certificate (I tried using the same as the one I made on the linux poller, but if I need to create a certificat with the agent hostname, this will be really problematic 

(something like the key automatically installed in the “centreron-nsclient” package would be nice)

Yes, if one side uses encryption, the other must do so. But you don’t have to create keys for both sides even if it is allowed. The protocol is grpc on http2, so crypto must be parameterized as an http server and his client.

In case of poller is the server, you generate a key and a certificate on the server and you can put server certificate in windows certificate store of the agent host.

Unfortunately, in case of reverse connection, you need a certificate by agent host, as certificate CN must contains agent host name. On the other side, poller has to connect to agent using this host name, not IP. If agent host name is not in DNS, I add it in /etc/hosts.

In case of poller is the server, you generate a key and a certificate on the server and you can put server certificate in windows certificate store of the agent host.

ok that’s clearer, i’ll try that

 

Unfortunately, in case of reverse connection, you need a certificate by agent host, as certificate CN must contains agent host name. On the other side, poller has to connect to agent using this host name, not IP. If agent host name is not in DNS, I add it in /etc/hosts.

 

that is something extremely problematic, going back to the “hostname” needed in the configuration, this is simply preventing cloning and deploying VMs with any form of templates even more : the installer could be run by a package manger and then what? (you would need to run a powershell command, that could work, get newselfsigned, or maybe use the standard microsoft certificate store, which would be easier to manage and be compatibile with pre-existing installed certificate, or internal pki that deliver signed certificate to all windows host in a domain, lots of possibilities, none of which seems ok

 

next you need to get that certificate and and push somehow in /etc/pki of the poller? (or is that not needed)

 grpc over http ok, ssl for http, ok, but you surely can add some ssl connexion option to ignore certificate, and any name  would pass, or even a “CN=*” could work for that matter and matche dns or ip

 

 

Hi Christophe, thanks for your feedback.

We plan to release, after the GA, an “Insecure TLS connection” mode, which will do the following : 

  • autosigned certificates are allowed

  • CN check is disabled

It seems this could fix your need. Do you confirm ? 

Thanks.

Hi

yes this would be great, and a small procedure or even include the generation of that self signed in the installer?

if a cert/key in base64 is the end on windows here is a script to create a self signed and export it
 

$certFile = 'C:\temp\test2.crt'
$keyFile =  'C:\temp\test2.key'

$params = @{
    DnsName = 'localhost'
    CertStoreLocation = 'Cert:\LocalMachine\My'
     KeyExportPolicy = 'Exportable'
}

$cert = New-SelfSignedCertificate @params
@(
    '-----BEGIN CERTIFICATE-----'
     System.Convert]::ToBase64String($cert.RawData, 'InsertLineBreaks')
    '-----END CERTIFICATE-----'
) | Out-File -FilePath $certFile -Encoding ascii

$rsakey =  System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$keybytearr = $rsakey.Key.Export((System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob)

@(
    '-----BEGIN CERTIFICATE-----'
     System.Convert]::ToBase64String($keybytearr, 
     System.Base64FormattingOptions]::InsertLineBreaks)
    '-----END CERTIFICATE-----'
) | Out-File -FilePath $keyFile -Encoding ascii

$cert | remove-item

 

Reply


Terms & ConditionsCookie settings