Stunnel for Checkmk Live Status over TCP setup

After installing Check_MK, configuring your sites, as well as Livestatus TCP on the remote pollers but before configuring the Distributed Monitoring connections in WATO, this article can help you setup an SSL encrypted tunnel for the Livestatus data to flow between.

NOTE: It is recommended that you enable HTTPS on Check_MK’s UI as part of your move to secure your monitoring environment.

This guide covers how to setup stunnel for Livestatus on CentOS based Check_MK servers. You should be able to port these instructions to other distros without too much difficulty.

The following instructions need to be done on all Check_MK servers that will be part of your distributed monitoring environment.

First, install stunnel:

yum install stunnel

Next, create the user for stunnel to run as:

useradd -r -m -d /var/run/stunnel -s /bin/false stunnel

Add the runtime folder to tmpfiles.d configuration to recreate the directory on reboot:

echo "d /var/run/stunnel 0770 stunnel stunnel -" > /etc/tmpfiles.d/stunnel.conf

Last command that needs to be done on all servers for now is to create the systemd service unit for stunnel then enable it:

cat << EOF > /etc/systemd/system/stunnel.service
[Unit]
Description=SSL tunnel for network daemons
After=syslog.target

[Service]
ExecStart=/usr/bin/stunnel
Type=forking

[Install]
WantedBy=multi-user.target
EOF
systemctl enable stunnel.service

The following needs to be done on all Check_MK pollers

Create a self-signed certificate if one signed by a Certificate Authority is not available:

openssl req -new -newkey rsa:2048 -days 3650 \
  -nodes -x509 -sha256 \
  -subj '/CN=127.0.0.1/O=localhost/C=US' \
  -keyout /etc/stunnel/stunnel.pem \
  -out /etc/stunnel/stunnel.pem

If a certificate signed by a CA is available, install it onto the pollers as /etc/stunnel/stunnel.pem.

Next, edit the file /etc/stunnel/stunnel.conf.

You will need to replace the IP 4.3.2.1 with your poller’s IPv4 address:

chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid    = /stunnel.pid
fips   = no

[cmklivestatus]
client     = no
accept     = 4.3.2.1:7556
connect    = 127.0.0.1:6557
cert       = /etc/stunnel/stunnel.pem
key        = /etc/stunnel/stunnel.pem
sslVersion = TLSv1

Make sure to edit the stunnel config file on all pollers you wish to Livestatus monitor over stunnel. Please be sure to increment the port used with each poller. If you have a second poller it would use port 7557 as an example.

The following step is to be on the Check_MK master server:

Edit the file /etc/stunnel/stunnel.conf.

You will need to replace the IP 4.3.2.1 with your Check_MK poller’s IPv4 address:

chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid    = /stunnel.pid

[cmklivestatus]
client     = yes
accept     = 127.0.0.1:7556
connect    = 4.3.2.1:7556
sslVersion = TLSv1

If you have more than one poller, you will just duplicate the client definition block and update the block name, IP address, and port accordingly. Here is an example with two pollers being setup for Distributed Monitoring over stunnel:

chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid    = /stunnel.pid

[cmklivestatus]
client     = yes
accept     = 127.0.0.1:7556
connect    = 4.3.2.1:7556
sslVersion = TLSv1

[cmklivestatus2]
client     = yes
accept     = 127.0.0.1:7557
connect    = 7.6.5.4:7557
sslVersion = TLSv1

The following steps need to be done on all Check_MK servers:

Add firewall rules as appropriate to your Check_MK master and pollers. As an example:

Check_MK Master:

firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Check_MK pollers:

firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-port=<stunnelPortNumber>/tcp
firewall-cmd --reload

Then, start the stunnel services:

systemctl start stunnel

Once you have successfully started all the stunnel services, you can go into WATO and setup Distributed Monitoring connections. Here is an example of what the config could look like:

If you are having difficulties, please try putting SELinux into permissive mode on each server in the monitoring cluster and restarting all the servers in your monitoring cluster.

Check_MK documentation on setting up Distributed Monitoring.