RAW 2.4 vmware ESXi SSL error

martin.hirschvogel · June 5, 2025, 8:08am

Root cause was a 3rd party library (urllib3), which was updated for 2.4, where the maintainers removed a lot of ciphers.

We have a solution for this problem to re-add compatibility with older systems.
@genitguy3 and @TomR - would you be willing to test our fix before we release? If so, please send me a PM with your email-address and we will reach out with a patch.
Anyone else who has the same problem can also write me a PM with their email-address.

TomR · June 5, 2025, 11:35am

Hi Martin,

Thanks for that.

My PoC address the issue caused by the changes in urllib3, by using the function create_urllib3_context in the new version of this library, to allow a fine tuning of ciphers that are used during the connection.

Take care,

Tom.

HartmutLeister · June 13, 2025, 4:41am

after checking the fix with @TomR and @genitguy3 (thank you!)

HTTPS / TLS connection is working again. Will likely be public with the next patch release next week.
for @TomR there are still VMware related services missing in the overview.

I will open another internal ticket for the missing services.

martin.hirschvogel · June 24, 2025, 8:37am

HartmutLeister · July 28, 2025, 1:19pm

Hello @TomR,

we’re looking into that part again:

VMware related services missing in the overview

Is that error still reproducible from your side?

Sunny Greetings and thank you
Hartmut

TomR · July 28, 2025, 3:06pm

Hi @HartmutLeister,

I’ve upgraded my Checkmk version to 2.4.0p8 in order to make sure, but it’s still the same as in @genitguy3’s comment above (RAW 2.4 vmware ESXi SSL error - #16 by genitguy3). I’ve sent the result of some debug commands to @Hannes (in 2.4.0p7, but I don’t think it changes anything), but I remain available to test some more if needed.

Take care,

Tom.

TomR · August 22, 2025, 9:12am

Hi,

Regarding the missing services, I took a look a the diff of the agent_vsphere.py file between the two versions, and I found the issue in the --vm_pwr_display part. The default (with was the “right” value for me initially) has been changed (in order to add a new third option), and I simply need to adapt my config to get back all the services, from:

to

Thank you for your time helping me diagnose this issue, you can close the internal ticket about that and sorry for the noise, I should have check the new rule for “VMware ESX via vSphere” more thoroughly.

Take care,

Tom.