Werk #19576: Reverted: Fix system executables failing due to Checkmk's OpenSSL being loaded via LD_LIBRARY_PATH
| Component | Site management | ||
| Title | Reverted: Fix system executables failing due to Checkmk's OpenSSL being loaded via LD_LIBRARY_PATH | ||
| Date | Jun 18, 2026 | ||
| Level | Prominent Change | ||
| Class | Bug Fix | ||
| Compatibility | Compatible - no manual interaction needed | ||
| Checkmk versions & editions |
|
Werk #19573 removed $OMD_ROOT/lib from LD_LIBRARY_PATH by setting RUNPATH on all
Checkmk-shipped ELF binaries so they could locate their bundled libraries without
relying on the environment variable. This change has been reverted.
The revert was necessary because of a conflict between the system OpenSSL and Checkmk's
bundled OpenSSL that affects distributions such as Red Hat Enterprise Linux 9 and
derivatives. The site Apache process is a distribution-provided binary. During startup
it loads the system libcrypto.so.3 — for example indirectly via the systemd NSS module
used for user and group lookups — before mod_wsgi loads the Checkmk Python application.
Because the system library and Checkmk's bundled library share the same SONAME, the
dynamic loader reuses the already-loaded system copy for Checkmk's Python extensions as
well, ignoring their RPATH. On distributions that ship an OpenSSL with certain algorithms
removed (RHEL strips SM4, for instance), symbols the bundled extensions rely on are then
missing and imports fail with errors such as:
ImportError: .../cryptography/hazmat/bindings/_rust.abi3.so:
undefined symbol: EVP_sm4_ecb, version OPENSSL_3.0.0
$OMD_ROOT/lib is therefore restored to LD_LIBRARY_PATH and the RUNPATH-only approach
will be revisited once a solution that covers the Apache SONAME collision is available.