ImportError: libssl.so.1.1

Andrea_Gabellini · November 12, 2024, 2:27pm

Hello,

I just upgraded from 2.2. 0 to 2.3. 0p19 on a Debian 12 server

I enabled automatic agent upgrade, but on some older CentOS 6 systems, after upgrading, I get this error:

# cmk-update-agent -v -r
Updated the certificate store "/var/lib/check_mk_agent/cas/all_certs.pem" with 5 certificate(s)

+-------------------------------------------------------------------+
|                                                                   |
|  Checkmk Agent Updater v2.3.0-2024.10.08 - Update                |
|                                                                   |
+-------------------------------------------------------------------+
Getting target agent configuration for host 'xxxx' from deployment server
Target state (from deployment server):
  Agent available:     True
  Signatures:          1
  Target hash:         0bc1110e2edacc9e
Agent 0bc1110e2edacc9e already installed.
Forcing reinstallation.
Downloaded agent has size 15962396 bytes.
Error loading certificate #1
Traceback (most recent call last):
  File "cmk_update_agent.py", line 141, in check_signatures
  File "site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
  File "/opt/Python-3.7.6/lib/python3.7/site-packages/PyInstaller/loader/pyimod03_importers.py", line 623, in exec_module
  File "site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
  File "/opt/Python-3.7.6/lib/python3.7/site-packages/PyInstaller/loader/pyimod03_importers.py", line 623, in exec_module
  File "site-packages/cryptography/hazmat/backends/openssl/backend.py", line 75, in <module>
  File "/opt/Python-3.7.6/lib/python3.7/site-packages/PyInstaller/loader/pyimod03_importers.py", line 623, in exec_module
  File "site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 16, in <module>
ImportError: libssl.so.1.1: cannot open shared object file: No such file or directory
No valid signature found.
See syslog or Logfile at /var/lib/check_mk_agent/cmk-update-agent.log for details.

how can i solve it?

Thanks,
Andrea

Norm · November 12, 2024, 9:01pm

Hi @Andrea_Gabellini,

Centos 6 is End of Life since November 30, 2020.

In the Migration Notes for the 2.3 Update, there is the following note, that might be the actual issue you are facing:

TLDR: Centos 6 probably does not support OpenSSL 3, thus the feature won’t work on this system.

Can you check which OpenSSL version is available on your system?

In general, I would only use the auto update feature on supported operating systems that are not legacy or end of life.

Best Regards
Norm

Andrea_Gabellini · November 13, 2024, 8:38am

Thanks for the reply.

I know I have an EOL system but I can’t turn it off at the moment

I tried to compile the latest version of openssl 1.1 and install it in parallel. Now it seems to work fine.

system · November 13, 2025, 8:38am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.