CheckMK RAW Install – AWS Lightsail

I have been using the RAW and Enterprise versions of CheckMK at work for some time now – probably well over 3 years. Because of creating this WordPress site and wanting to test different features, I decided to create a CheckMK RAW version on an Ubuntu 18.04 installation on Amazon AWS Lightsail. There will be more configuration but this is an initial outline of how I got https://checkmk.shank.land/ up and running in a basic config along with LetsEncrypt SSL certificate.

CheckMK RAW
CheckMK RAW

Lightsail Ubuntu Instance

The initial creation of the CheckMK site was to have somewhere to host it. I have been using AWS Lightsail on and off for about a year so seemed the best and quickest place to start. For $5 per month I got myself a running instance of Ubuntu 18.04 with the following specs:

1GB RAM
1 vCPU
40GB SSD
Fixed IP

You can go cheaper, and initially I did, but I found CheckMK didn’t like running on just 512Mb of RAM.

At instance creation time you get the option of using a key pair file for the SSH connection. I did this as wanted to us a SSH client for the configuration instead of the web SSH option that Amazon give you as well. Using a key pair is just a simple matter of creating the file, downloading is and then use that to connect rather than a password. I used macOS and Terminal for this so simply downloaded the .pem file to my Documents folder and then ran the following:

chmod 600 Shankland-CheckMK01-KeyPair.pem
ssh -i Shankland-CheckMK01-KeyPair.pem ubuntu@3.9.106.59

SSH
Connection to Lightsail instance via macOS SSH client

Once connected I then updated the server and installed NTP client:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo apt-get install ntp
sudo service ntp restart
sudo reboot

Finally, I then created an A Record to point checkmk.shank.land to the fixed IP of 3.9.106.59:

A Name Record
checkmk.shank.land A Name Record

CheckMK RAW Installation

Installation of CheckMK is really straightforward whatever version you decide to use. It is simply a matter of downloading the latest version, using gdebi to install and then creating a ‘site’. In my case the site is called ‘master’ but can be anything you want.

sudo apt-get install gdebi-core
mkdir ~/downloads
cd ~/downloads
wget https://mathias-kettner.de/support/1.5.0p16/check-mk-raw-1.5.0p16_0.bionic_amd64.deb
sudo gdebi check-mk-raw-1.5.0p16_0.bionic_amd64.deb

sudo omd create master
sudo omd start master

Once the site has been created you should install the CheckMK agent onto the monitoring server. This simply allows you to monitor the CheckMK host correctly without having to resort to SNMP etc. The easiest method for this is to sign into your new CheckMK site, go to ‘Monitoring Agents’ and copy the link to the preconfigured agent for your OS. For me running Ubuntu this was the .deb file

Monitoring Agent
CheckMK .deb Monitoring Agent

Once you have the URL of this file you are then able to install the agent on the host server:

cd ~/downloads
wget http://checkmk.shank.land/master/check_mk/agents/check-mk-agent_1.5.0p16-1_all.deb
sudo gdebi check-mk-agent_1.5.0p16-1_all.deb

You can then add in the host server directly into CheckMK and start monitoring!

Host Monitoring
Monitoring CheckMK Host

Redirect Root URL to /<site>

One of the great things with CheckMK is that you create multiple sites. These could be for different business areas, test & dev or anything else you can think of. For me, I wanted ‘master’ to be the main site for production and therefore direct the main URL of http://checkmk.shank.land to this instead of having to use http://checkmk.shank.land/master.

To complete this is was a simple matter of going into the default Apache config and making one change:

sudo vim /etc/apache2/sites-enabled/000-default.conf

Replace
DocumentRoot /var/www/html

With
RedirectMatch ^/$ /master

Then
sudo service apache2 restart


SSL Enable Site

The final part for this post is SSL enabling the site using LetsEncrypt. LetsEncrypt, for those who don’t know, is a way to get a real (not self signed) SSL certificate for your site or appliance etc. It needs renewing every 3 months but by putting the renewal process into a cron job, this is all handled for you.

The first part is to generate the keys required for the certificate:

sudo mkdir /opt/letsencrypt
cd /opt/letsencrypt
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x ./certbot-auto
sudo ./certbot-auto

The above will run a wizard and ask you for your email address and the URL(s) you want to generate a certificate for. It will also ask you if you want to automatically redirect HTTP traffic to HTTPS. I decided not to select this and manually change the config myself.

Certbot Wizard

Once this was completed I then made a copy of the default Apache config and overwrote it with the LetsEncrypt generated one before creating myself. Typing this now the process could be improved but this is how I did it at the time!

sudo cp /etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-enabled/000-default.original
sudo mv /etc/apache2/sites-enabled/000-default-le-ssl.conf /etc/apache2/sites-enabled/000-default.conf
sudo vim /etc/apache2/sites-enabled/000-default.conf

Replace everything within the file with the following, remembering to change the server name to something that suits you!

<IfModule mod_ssl.c>
<VirtualHost :443>
RedirectMatch ^/$ /master
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName checkmk.shank.land
SSLCertificateFile /etc/letsencrypt/live/checkmk.shank.land/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/checkmk.shank.land/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost :80>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName checkmk.shank.land
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
</IfModule>

Restart Apache for the changes to be made effective:

sudo service apache2 restart

The final part is to add a cron job in to try and renew the certificate every day and restart Apache. This will ensure your certificate doesn’t expire.

sudo crontab -e
0 0 1 * * sudo /opt/letsencrypt/certbot-auto renew && sudo service apache2 restart

That’s it! The above got me a working CheckMK installation on AWS Lightsail with SSL via LetsEncrypt. I have a few more bits I want to complete on this installation such as using AWS SES for SMTP emailing and looking at how to secure the connection between the CheckMK host server and agents.


References


Leave a Reply

Your email address will not be published. Required fields are marked *