OpenSSL || NRPE || Nagios XI Version Compatibility

[awilson]

Hi. We are running Nagios XI 5.4.4, nrpe 3.2.1, and openssl 1.0.2k-fips 26 Jan 2017 on a Redhat 7 server. We are getting ssl handshake errors when attempting service checks. I'm confirming with the security team to see if they made any recent changes. The checks on the server started generating errors yesterday.

The remote server's nrpe is compiled with SSL enabled. We've tried the service check using check_nrpe using the "-n" parameter and without it.

The Nagios host check_nrpe is 2.15

Code: Select all

[nagios@nagioshost libexec]$ ./check_nrpe --help

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
//snip

Service check w/o -n flag
~~~~~~~~~~~~~~~~~~~~
[nagios@nagioshost ~]$ /usr/local/nagios/libexec/check_nrpe -H remote ip -t 30 -c check_disk -a '-w 90 -c 95 -p /'
CHECK_NRPE: Error - Could not complete SSL handshake.

Code: Select all

[nagios@nagioshost ~]$ /usr/local/nagios/libexec/check_nrpe -H remote ip -t 30 -c check_disk -a -n '-w 90 -c 95 -p /'

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
//snip

Remote server software versions
~~~~~~~~~~~~

Code: Select all

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)

$ nrpe --version
NRPE - Nagios Remote Plugin Executor
Version: 3.2.1

NRPE - Nagios Remote Plugin Executor
Version: 3.2.1

Copyright (c) 2009-2017 Nagios Enterprises
              1999-2008 Ethan Galstad (nagios@nagios.org)

Last Modified: 2017-09-01

License: GPL v2 with exemptions (-l for more info)

SSL/TLS Available, OpenSSL 0.9.6 or higher required


[nagios@host ~]
$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[nagios@host ~]

Thanks

[lmiltchev]

Did you forget to add the Nagios XI server's IP address to the nrpe.cfg on the client machine, and restart NRPE?

Example:

Code: Select all

allowed_hosts=127.0.0.1,x.x.x.x

where you substitute x.x.x.x with the actual IP address of your Nagios XI server.

Note: The example above describes a case, where NRPE is run as a standalone daemon. If NRPE is running under xinetd, you will need to modify the /etc/xinetd.d/nrpe file, and restart xinetd, so that changes can take effect.

[awilson]

This is in /etc/xinetd.d/nrpe. We are using xinetd

Code: Select all

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
        flags                = REUSE
        socket_type     = stream
        port                 = 5666
        wait                 = no
        user                 = nagios
        group               = nagios
        server              = /usr/local/nagios/bin/nrpe
        server_args      = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable            = no
        only_from = 127.0.0.1 10.10.83.90 10.10.83.97
}

[lmiltchev]

Can you confirm that your Nagios XI server's IP is one of the two IPs listed in the /etc/xinetd.d/nrpe file on the client (10.10.83.90 or 10.10.83.97)?

Run the following command on your Nagios XI server, and show the output:

Code: Select all

ip addr

Even though, this issue is not very common, you may be hitting the maximum connection limit of NRPE. Try adding the following two lines to the /etc/xinetd.d/nrpe file:

Code: Select all

per_source = UNLIMITED
instances = UNLIMITED

as described here, and restart xinetd:

Code: Select all

service xinetd restart

Let's see the output of the following commands too:

On the client (remote machine):

Code: Select all

netstat -an | grep nrpe
ps axuw | grep nrpe
/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1

On the Nagios XI server:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H <client ip>
nmap <client ip> -p 5666

[awilson]

As my father-in-law used to say when I missed a putt, "I must have not been holding my mouth right." //smile

It is working properly now. I guess that the sequence of asking the admin to restart xinetd and our updates didn't sync correctly.

Thanks for your help. You can close it now.

If I hear hoofbeats, think horses instead of zebras. //smile

[lmiltchev]

I am glad I was able to help!