Troubleshooting Python 3 / SSL issue on Windows after Checkmk upgrade to 2.3
This article provides troubleshooting steps for resolving SSL errors on Windows after upgrading from Checkmk 2.2 to version 2.3.
LAST TESTED ON CHECKMK 2.3
Problem
After upgrading the Checkmk agent on a Windows host from version 2.2.0 to 2.3.0 and above, you may encounter an SSL error when trying to register an agent.
The error message may appear as follows while running the agent bakery updater:
Update error: HTTPSConnectionPool(host='%SERVER-XY.xx.com%', port=443): Max retries exceeded with url: /Sitename-XY/check_mk/deploy_agent.py (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'SERVER-XY.xx.com'. (_ssl.c:1000)")))WARN, Time since last update check: 12 days 6 hours (warn/crit at 2 days 0 hours/never)WARN, Last update: 2024-06-28 09:08:24, Agent plug-ins: 1, Local checks: 0
Checkmk version 2.2 uses Python 3.10, which includes OpenSSL 1.1.1m. In contrast, Checkmk 2.3 ships with Python 3.12 and OpenSSL 3.0.11. With this version, OpenSSL has discontinued support for many deprecated protocols and configurations, including certificates lacking SAN (Subject Alternative Name) entries.
Solution
The solution is to recreate the SSL certificates to include the SAN (Subject Alternative Name).
This issue only affects Windows hosts; it does not occur with Linux hosts.
Related articles