| blob | 31f5bd357df3364b6ea33902e103b15b0ae0f24e |
1 Title: Fixed SSL connection issues in different situations
2 Level: 1
3 Component: omd
4 Class: fix
5 Compatible: compat
6 Edition: cre
7 State: unknown
8 Version: 1.5.0i1
9 Date: 1497013634
11 Whenever a server component of Check_MK opens a SSL connection it uses the trusted certificate
12 authorities to verify the SSL certificate of the destination server. This is used for example
13 when performing WATO replication to slave sites or when special agents are communicating via
14 HTTPS.
16 In older Check_MK versions the system wide trusted CAs were used to do the verification. During
17 development of Check_MK 1.4 different parts of Check_MK that establish communications via HTTPS
18 have been refactored to use a new library (python requests) which does not care about the system
19 wide trusted CAs by default. This lead to SSL verification errors because former verifyable
20 certificates were now not verifyable anymore. The error messages were different in this situation,
21 one example is: "SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed".
23 The first change is that we have now fixed that to get the old functionality back. Check_MK is
24 now searching <tt>/etc/ssl/certs</tt> or </tt>/etc/pki/tls/certs</tt> for system wide trusted
25 CAs by default.
27 The second change is that we have now added a new global setting which you can use to change
28 the behaviour: <i>Site Management > Trusted certificate authorities for SSL</i>. You can
29 disable trusting system wide trusted CAs and upload your custom CAs if you need it.