Werk #18920: Windows agent updater failing for some HTTPS setups
| Component | Agent bakery | ||
| Title | Windows agent updater failing for some HTTPS setups | ||
| Date | Nov 17, 2025 | ||
| Level | Trivial Change | ||
| Class | Bug Fix | ||
| Compatibility | Incompatible - Manual interaction might be required | ||
| Checkmk versions & editions |
|
The agent updater under Windows may stop working eventually after upgrading from Checkmk agent version 2.4.0p14 to 2.4.0p15 and when talking to a Checkmk server with custom HTTPS setup.
This behavior got triggered by the Windows agent's Python modul upgrade of Werk #17999.
Python 3.13 introduced strict x509 certificate validation handling.
Since this strict handling is not activated in most other standard TLS software, including OpenSSL, the failing validation may occur unexpectedly.
We did not intend to activate the stricter rules during the lifecycle of a stable release.
To mitigate the issue, we now switch the X509 certificate validation back to the OpenSSL standard, as it had been the case before Checkmk 2.4.0p15.
If your hosts happen to be locked out from agent deployment because of the strict validation, please check the HTTPS certificate setup of your Checkmk site.
The stricter validation often affects the web server certificate, so you might be able to fix the situation by replacing only this one, leaving the CA and/or intermediate CAs in place.
For reference:
- Release note of Python 3.13 mentioning the strict x509 validation: https://docs.python.org/3/whatsnew/3.13.html#ssl
- OpenSSL flag that's applied in the Python
sslmodule:VERIFY_X509_STRICT - Strict validation means that x509 must conform to
RFC 5280: https://datatracker.ietf.org/doc/html/rfc5280.html - Users affected by the change often used server certificates with missing Authority Key Identifier extension.