Werk #19575: GUI/REST API failed to start on distributions whose system OpenSSL lacks bundled algorithms
| Component | Site management | ||||
| Title | GUI/REST API failed to start on distributions whose system OpenSSL lacks bundled algorithms | ||||
| Date | Jun 15, 2026 | ||||
| Level | Prominent Change | ||||
| Class | Bug Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
On some distributions (for example Red Hat Enterprise Linux 9 and derivatives) the Checkmk GUI and REST API could fail to start with an error such as:
ImportError: .../cryptography/hazmat/bindings/_rust.abi3.so:
undefined symbol: EVP_sm4_ecb, version OPENSSL_3.0.0
The site apache is served by the distribution's httpd binary. Its own startup
loads the system OpenSSL (libcrypto.so.3) - for example indirectly via the
systemd NSS module used for user and group lookups - before mod_wsgi loads the
Checkmk Python application. Because the system library and the OpenSSL bundled
with Checkmk share the same SONAME, the dynamic loader reuses the
already-loaded system copy for our Python extensions as well, ignoring their
RPATH. On distributions that ship an OpenSSL with algorithms removed (RHEL
strips SM4, for instance), symbols the bundled extensions rely on - such as
EVP_sm4_ecb - are then missing and the import fails.
The site apache start/reload now preloads the bundled libssl/libcrypto, so
the Checkmk Python extensions resolve against the OpenSSL shipped with Checkmk.
The preload is scoped to the apache process only and does not affect other
system tools invoked by the site.
Existing sites pick up the change on the next omd update (the modified
etc/init.d/apache is merged like other site files); newly created sites
include it directly. A site for which the merge keeps a customized
etc/init.d/apache needs the change applied manually.