This article provides troubleshooting steps for resolving SSL errors on Windows after upgrading from Checkmk 2.2 to version 2.3.
LAST TESTED ON CHECKMK 2.3
Problem
After upgrading a Windows host from Checkmk 2.2 to 2.3, you may encounter an SSL error when trying to register an agent.
The error message may appear as follows while running the agent bakery updater:
Update error: HTTPSConnectionPool(host='%SERVER-XY.xx.com%', port=443): Max retries exceeded with url: /Sitename-XY/check_mk/deploy_agent.py (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'SERVER-XY.xx.com'. (_ssl.c:1000)")))WARN, Time since last update check: 12 days 6 hours (warn/crit at 2 days 0 hours/never)WARN, Last update: 2024-06-28 09:08:24, Agent plug-ins: 1, Local checks: 0
Checkmk version 2.2 uses Python 3.10, which includes OpenSSL 1.1.1m. In contrast, Checkmk 2.3 ships with Python 3.12 and OpenSSL 3.0.11. With this version, OpenSSL has discontinued support for many deprecated protocols and configurations, including certificates lacking SAN (Subject Alternative Name) entries.
Solutions
The solution is to recreate the SSL certificates to include the SAN (Subject Alternative Name).
This issue only affects Windows hosts; it does not occur with Linux hosts.
Related articles