Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #19034: Update Python (3.13.9) and Stricter Certificate Validation

Component Checks & agents
Title Update Python (3.13.9) and Stricter Certificate Validation
Date Mar 18, 2026
Level Trivial Change
Class New Feature
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

Python has been updated to version 3.13.9, which enforces stricter validation of TLS certificate chains by default.

As a result, Checkmk special agents may now refuse to connect to servers presenting non-compliant certificates that were previously accepted. If this occurs in your environment, we recommend replacing the certificate with a compliant one. We outline notable requirements and methods to validate your certificates below.

Mitigations

If you cannot replace the certificate, there are two mitigation options, each with different drawbacks:

1. Disable certificate Validation

Most special agents offer the option to skip certificate validation, usually labeled "Disable certificate validation" or similar. Enabling this option allows the agent to connect using TLS but accepts any certificate, exposing your system to potential (MITM) attacks. Use this option only in fully trusted network environments and for a limited time.

2. Trust the leaf certificate directly

Alternatively, you can add the monitored server's leaf TLS certificate (not the CA or intermediate certificates) to Checkmk's "Trusted certificate authorities for SSL." This implies that the leaf certificate is trusted by Checkmk globally, increasing the risk if the certificate is misused or leaked. It also complicates certificate management, as rotating the server's certificate requires removing the old leaf certificate from the trust list and adding the new one.

Note: You may need to remove the CA certificate from the trusted list. If the CA certificate remains, Python/OpenSSL might use it for validation, causing failures without ever checking the leaf certificate.

Migrating to Compliant Certificates

To verify if a certificate is compliant, use openssl version 3.0 or later with your CA certificate (e.g. ca.pem) and the issued certificate (e.g. leaf.pem):

openssl verify -x509_strict -CAfile ca.pem leaf.pem

If the output is leaf.pem: OK, the certificate chain is compliant. Otherwise, openssl will report the specific issue, such as "CA cert does not include key usage extension."

Common reasons for validation failure include:

  • The CA certificate lacks a key usage extension or has inappropriate key usage settings
  • The CA certificate is missing the Subject Key Identifier
  • The CA certificate's basic constraints extension is missing, not marked critical, or does not assert CA:TRUE
  • The leaf certificate is missing the Authority Key Identifier
  • The issuer distinguished name is empty
  • The subject distinguished name is empty, and the certificate is a CA or lacks a subject alternative name
  • The certificate version is not set correctly

To the list of all Werks