Sslcertificates upgrade 9.0.2

denis · May 19, 2025, 6:53am

Hi
Running 2.3.0p31 and is upgrading the extension sslcertificates from 8.9.1 to 9.0.2 (to support Checkmk 2.4).
Buts, it stopped working, so all the sslcertificates monitoring when into error with crash report.
Did just rollback and did not do any troubleshooting.

Do any one have upgraded to the 9.0.2 version with success?
And did you have to done anything, beside activate the extension and redeploy with new baked agent?

check_mk_extensions/sslcertificates at cmk2.3 · HeinleinSupport/check_mk_extensions · GitHub

SSL-Certificates - Checkmk Exchange

r.sander · May 19, 2025, 7:23am

What stopped working?

Please post the crash report.

denis · May 19, 2025, 8:37am

The following files located in the local hierarchy of your site are involved in this exception:

/omd/sites/cac/local/lib/python3/cmk_addons/plugins/sslcertificates/agent_based/sslcertificates.py

Maybe these files are not compatible with your current Checkmk version. Please verify and only report this crash when you think this should be working.

Crash Report
Exception
TypeError (Incorrect level parameters: (14, 5))
Traceback

 File "/omd/sites/cac/lib/python3/cmk/base/checkers.py", line 734, in get_aggregated_result
    check_result = check_function(**item_kw, **params_kw, **section_kws)
  File "/omd/sites/cac/lib/python3/cmk/base/checkers.py", line 514, in __check_function
    return _aggregate_results(consume_check_results(check_function(*args, **kw)))
  File "/omd/sites/cac/lib/python3/cmk/base/checkers.py", line 572, in consume_check_results
    for subr in subresults:
  File "/omd/sites/cac/lib/python3/cmk/base/api/agent_based/register/check_plugins.py", line 95, in filtered_generator
    for element in generator(*args, **kwargs):
  File "/omd/sites/cac/local/lib/python3/cmk_addons/plugins/sslcertificates/agent_based/sslcertificates.py", line 129, in check_sslcertificates
  File "/omd/sites/cac/lib/python3.12/site-packages/cmk/agent_based/v2/_check_levels.py", line 217, in check_levels
    result_lower = _check_levels(value, levels_lower, Direction.LOWER, render_func)
  File "/omd/sites/cac/lib/python3.12/site-packages/cmk/agent_based/v2/_check_levels.py", line 141, in _check_levels
    raise TypeError(f"Incorrect level parameters: {other!r}")

Local Variables

{'levels': (14, 5),
 'levels_direction': <Direction.LOWER: 'lower'>,
 'other': (14, 5),
 'render_func': <function timespan at 0x7fa87d0b39c0>,
 'value': 20911770}

Crash Type check
Time 2025-05-15 09:57:21
Operating System Ubuntu 22.04.5 LTS
Checkmk Version 2.3.0p31
Edition cee
Core cmc
Python Version 3.12.9 (main, Apr 8 2025, 14:44:03) [GCC 13.2.0]
Python Module Paths /opt/omd/versions/2.3.0p31.cee/bin
/omd/sites/cac/local/lib/python3
/omd/sites/cac/lib/python3/cloud
/omd/sites/cac/lib/python312.zip
/omd/sites/cac/lib/python3.12
/omd/sites/cac/lib/python3.12/lib-dynload
/omd/sites/cac/lib/python3.12/site-packages
/omd/sites/cac/lib/python3

Details

Host	hostname
Is cluster host	No
Check type	sslcertificates
Enforced service	No
Inline-SNMP	No
Check item	6150F994B780A2F1FB1B272D9BA4FEC80XXXXXX
Description	SSL Certificate in 6150F994B780A2F1FB1B272D9BA4FEC80DXXXXXX
Parameters	("Parameters({‘age’: (14, 5), ‘warnalgo’: [‘md5WithRSAEncryption’, " “‘sha1WithRSAEncryption’]})”)

r.sander · May 19, 2025, 9:03am

Please run cmk-update-config -v after upgrading.

Somehow the migration function for the check parameters is not called here and the check plugin still receives the old format. Any idea, @moritz ?

denis · May 19, 2025, 9:13am

So, after I have installed the new extension, I will try that.
Do I then need to redeploy the local agents again?

r.sander · May 19, 2025, 9:14am

No, the agent plugin has not been changed.

moritz · May 19, 2025, 9:17am

Sorry, no idea. I looked at the plugin, but it seems fine to me. Did cmk-update-config fix it? Is this reproducable?

andreas-doehler · May 19, 2025, 9:27am

I have one idea - if the CMK version is 2.3 the migration function is only done if you edit the rule or execute “cmk-update-config”.
If you do the plugin update with CMK 2.4 you will receive a message after installing the mkp that also the check parameters are migrated.

I reproduced this behavior inside my test environment some times.

r.sander · May 19, 2025, 10:02am

I also observe exactly this behaviour.

denis · May 20, 2025, 8:56am

Hi
I did this again:
Enable sslcertificates 9.0.2
Disabled sslcertificate 8.9.1
stop primary site
run the cmk-update-config -v
start primary site

but the cmk-update-config resulted in an error.
That 2 rules are for disabling the plugin, “Do not deploy the SSL certificates plugin”.
So SSL Certificate still crash with same report after the cmk-update-config -v

ERROR: Failed to transform rule: (Ruleset: agent_config:sslcertificates, Folder: server/vdi, Rule: 0, Value: None: None
ERROR: Failed to transform rule: (Ruleset: agent_config:sslcertificates, Folder: server/rds, Rule: 0, Value: None: None
 + "Rulesets" failed
Traceback (most recent call last):
  File "/omd/sites/cac/lib/python3/cmk/update_config/main.py", line 270, in update_config
    action(logger, update_state.setdefault(action.name))
  File "/omd/sites/cac/lib/python3/cmk/update_config/plugins/actions/rulesets.py", line 84, in __call__
    _validate_rule_values(logger, all_rulesets)
  File "/omd/sites/cac/lib/python3/cmk/update_config/plugins/actions/rulesets.py", line 370, in _validate_rule_values
    ruleset.rulespec.valuespec.validate_value(
  File "/omd/sites/cac/lib/python3/cmk/gui/valuespec.py", line 362, in validate_value
    self._validate_value(value, varprefix)
  File "/omd/sites/cac/lib/python3/cmk/gui/valuespec.py", line 6743, in _validate_value
    self._valuespec.validate_value(self.to_valuespec(value), varprefix)
                                   ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/omd/sites/cac/lib/python3/cmk/gui/utils/rule_specs/legacy_converter.py", line 373, in _remove_agent_config_match_type_key
    raise TypeError(value)
TypeError: None

r.sander · May 20, 2025, 12:10pm

Checkmk 2.3 needs a patch for the legacy converter:

denis · May 27, 2025, 6:16am

So if I understand the post correct
Update to 2.3.0p33 and the det steps for sslcertificate will work?

r.sander · May 27, 2025, 6:33am

The needed patch should be in 2.3.0p33.

denis · June 4, 2025, 8:30am

Hi
The sslcertificate do no longer accept my old rule that stops the plugin for deploying to some client

That where the problem when upgrading.

So now I dont know how to block the plugin from deploying

denis · June 4, 2025, 8:37am

I have just upgraded to sslcertificates 9.0.3, but still missing that option

denis · June 4, 2025, 10:11am

@r.sander I fixed the do not deploy by creating a regex exclude of host.

But you might note in the 9.0 release note, that you have removed the none option.
Or even better add it again

Because the rule cannot be transformed and need to be removed before upgrade.
ERROR: Failed to transform rule: (Ruleset: agent_config:sslcertificates, Folder: server/vdi, Rule: 0, Value: None: None

r.sander · June 4, 2025, 12:30pm

Version 9.0.4 of the MKP adds a migrate function for the bakery ruleset.

After updating to this MKP you should run cmk-update-config -v on 2.3.0p33 or later.

denis · June 10, 2025, 7:34am

Thanks for this, it works