I can't understand how nrpe 2.16 should be installed

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by Box293 »

I've been doing some testing and I'm not 100% sure if it's working as expected.

I've setup two VM's of CentOS 6.7 x64 and compilied 2.16 on them.

I've set the options in nrpe.cfg on vmA:

Code: Select all

ssl_version=TLSv1
ssl_cipher_list=ALL:!MD5:@STRENGTH
ssl_logging=-1
I tail the /var/log/messages on both vmA and vmB

From my vmB I execute a basic check:

Code: Select all

./check_nrpe -H 10.25.13.30
NRPE v2.16RC2
I see this in the logs on both servers:
vmA

Code: Select all

Dec 16 15:08:49 centos12 xinetd[3793]: START: nrpe pid=3844 from=::ffff:10.25.13.31
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Certificate File: None
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Private Key File: None
Dec 16 15:08:49 centos12 nrpe[3844]: SSL CA Certificate File: None
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Allow ADH: Allow
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Client Certs: Don't Ask
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Log Options: 0xffffffff
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Version: TLSv1
Dec 16 15:08:49 centos12 nrpe[3844]: Remote  - SSL Version: TLSv1
Dec 16 15:08:49 centos12 nrpe[3844]: Remote  - TLSv1/SSLv3, Cipher is ADH-AES256-SHA
Dec 16 15:08:49 centos12 nrpe[3844]: SSL Not asking for client certification
Dec 16 15:08:49 centos12 xinetd[3793]: EXIT: nrpe status=0 pid=3844 duration=0(sec)
vmB

Code: Select all

Dec 16 15:08:49 centos13 check_nrpe: Remote 10.25.13.30 accepted a Version 3 Packet
From my vmB I try and force TLSv1:

Code: Select all

./check_nrpe -H 10.25.13.30 -S TLSv1
CHECK_NRPE: Error - Could not complete SSL handshake with 10.25.13.30: 1
vmA

Code: Select all

Dec 16 15:10:28 centos12 xinetd[3793]: START: nrpe pid=3851 from=::ffff:10.25.13.31
Dec 16 15:10:28 centos12 nrpe[3851]: SSL Certificate File: None
Dec 16 15:10:28 centos12 nrpe[3851]: SSL Private Key File: None
Dec 16 15:10:28 centos12 nrpe[3851]: SSL CA Certificate File: None
Dec 16 15:10:28 centos12 nrpe[3851]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 16 15:10:28 centos12 nrpe[3851]: SSL Allow ADH: Allow
Dec 16 15:10:28 centos12 nrpe[3851]: SSL Client Certs: Don't Ask
Dec 16 15:10:28 centos12 nrpe[3851]: SSL Log Options: 0xffffffff
Dec 16 15:10:28 centos12 nrpe[3851]: SSL Version: TLSv1
Dec 16 15:10:28 centos12 nrpe[3851]: Error: Could not complete SSL handshake with : 5
Dec 16 15:10:28 centos12 xinetd[3793]: EXIT: nrpe status=0 pid=3851 duration=0(sec)
vmB

Code: Select all

Dec 16 15:10:28 centos13 check_nrpe: Error: Could not complete SSL handshake with 10.25.13.30: 1
From my vmB I try and force TLSv1+:

Code: Select all

./check_nrpe -H 10.25.13.30 -S TLSv1+
NRPE v2.16RC2
vmA

Code: Select all

Dec 16 15:12:04 centos12 xinetd[3793]: START: nrpe pid=3852 from=::ffff:10.25.13.31
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Certificate File: None
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Private Key File: None
Dec 16 15:12:04 centos12 nrpe[3852]: SSL CA Certificate File: None
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Allow ADH: Allow
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Client Certs: Don't Ask
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Log Options: 0xffffffff
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Version: TLSv1
Dec 16 15:12:04 centos12 nrpe[3852]: Remote  - SSL Version: TLSv1
Dec 16 15:12:04 centos12 nrpe[3852]: Remote  - TLSv1/SSLv3, Cipher is ADH-AES256-SHA
Dec 16 15:12:04 centos12 nrpe[3852]: SSL Not asking for client certification
Dec 16 15:12:04 centos12 xinetd[3793]: EXIT: nrpe status=0 pid=3852 duration=0(sec)
vmB

Code: Select all

Dec 16 15:12:04 centos13 check_nrpe: Remote 10.25.13.30 accepted a Version 3 Packet

I'm not sure why -S TLSv1 didn't work when that is what I specified in nrpe.cfg on vmA.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

Hello, this is incredibly helpful for me, thanks mate! As soon as I can I'll be testing if the same behavior happens on my VMs.
Quite sure it does but since my test were only wireshark side, well.. Might I ask you if you could try the same tests I did? It's only about sniffing if packets are really encrypted. Actually your logs say so but I am not so sure.
Thanks again for your test really appreciate!! :D

EDIT:

I run 3 tests using:

Code: Select all

ssl_version=TLSv1.2
ssl_cipher_list=ALL:!MD5:@STRENGTH
ssl_client_certs=X
Where X is from 0 to 2, in both server and client. This is the result, and it seems that it really works, because the client has no certificate and the connection is refused when switching to 1 or 2.

Code: Select all

############### 0
Conf:
ssl_version=TLSv1.2
ssl_cipher_list=ALL:!MD5:@STRENGTH
ssl_client_certs=0

Command:
./check_nrpe -H 192.168.10.219 -S TLSv1.2+

Server:
Dec 16 12:04:21 nagios02 check_nrpe: Remote 192.168.10.219 accepted a Version 3 Packet

Client:
Dec 16 12:04:16 ubuntu-test3 xinetd[1568]: xinetd Version 2.3.15 started with libwrap loadavg options compiled in.
Dec 16 12:04:16 ubuntu-test3 xinetd[1568]: Started working: 1 available service
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Certificate File: None
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Private Key File: None
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL CA Certificate File: None
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Allow ADH: Allow
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Client Certs: Don't Ask
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Log Options: 0xff
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Version: TLSv1_2_plus And Above
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: Remote  - SSL Version: TLSv1.2
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: Remote  - TLSv1/SSLv3, Cipher is ADH-AES256-GCM-SHA384
Dec 16 12:04:21 ubuntu-test3 nrpe[1574]: SSL Not asking for client certification

############### 1
Conf:
ssl_version=TLSv1.2
ssl_cipher_list=ALL:!MD5:@STRENGTH
ssl_client_certs=1

Command:
./check_nrpe -H 192.168.10.219 -S TLSv1.2+

Server:
Dec 16 12:09:35 nagios02 check_nrpe: Error: Could not complete SSL handshake with 192.168.10.219: 5

Client:
Dec 16 12:08:41 ubuntu-test3 xinetd[1603]: xinetd Version 2.3.15 started with libwrap loadavg options compiled in.
Dec 16 12:08:41 ubuntu-test3 xinetd[1603]: Started working: 1 available service
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL Certificate File: None
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL Private Key File: None
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL CA Certificate File: None
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL Allow ADH: Allow
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL Client Certs: Accept
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL Log Options: 0xff
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: SSL Version: TLSv1_2_plus And Above
Dec 16 12:08:49 ubuntu-test3 nrpe[1609]: Error: could not use CA certificate '(null)'

############### 2
Conf:
ssl_version=TLSv1.2
ssl_cipher_list=ALL:!MD5:@STRENGTH
ssl_client_certs=2

Server:
Dec 16 12:12:51 nagios02 check_nrpe: Error: Could not complete SSL handshake with 192.168.10.219: 5

Client:
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL Certificate File: None
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL Private Key File: None
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL CA Certificate File: None
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL Allow ADH: Allow
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL Client Certs: Require
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL Log Options: 0xff
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: SSL Version: TLSv1_2_plus And Above
Dec 16 12:12:35 ubuntu-test3 nrpe[1634]: Error: could not use CA certificate '(null)'
This is with the certificate on the server and the crt copied to the client:

Code: Select all

Dec 16 14:33:08 ubuntu-test3 xinetd[2129]: xinetd Version 2.3.15 started with libwrap loadavg options compiled in.
Dec 16 14:33:08 ubuntu-test3 xinetd[2129]: Started working: 1 available service
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL Certificate File: None
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL Private Key File: None
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL CA Certificate File: /usr/local/nagios/cert/cacert.pem
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL Cipher List: ADH
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL Allow ADH: Require
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL Client Certs: Require
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL Log Options: 0xff
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: SSL Version: TLSv1_2_plus And Above
Dec 16 14:33:11 ubuntu-test3 nrpe[2135]: Error: Could not complete SSL handshake with : sslv3 alert unexpected message
jfrickson

Re: I can't understand how nrpe 2.16 should be installed

Post by jfrickson »

Ok, I've looked things over, and here are my observations:

-S TLSv1 not working
Oops, bug in the code! It will be fixed with the next commit. Thanks @Box239

Failing when using certificates
@nihvel, it looks like you had ssl_use_adh=2 in your nrpe.cfg file.

I found a couple of other minor problems that will also be fixed with the next commit.

So, it looks like everything should work correctly.
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by Box293 »

I'll test again when the next commit, RC3 I assume.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

jfrickson wrote: Failing when using certificates
@nihvel, it looks like you had ssl_use_adh=2 in your nrpe.cfg file.
True, but I also checked with ssl_use_adh=0 and 1 and it does not change, I can't get the certificate working (and again, wireshark is not helping me to double check what passes encrypted and what not).
key, csr and crt are on the server and the client's only got server's crt in its configuration. Isn't it supposed to be like this?

Anyway I wish to thank you guys for your patience and will to improve this plugin!
jfrickson

Re: I can't understand how nrpe 2.16 should be installed

Post by jfrickson »

Box293 wrote:I'll test again when the next commit, RC3 I assume.
It's now in RC2. You can pull the current version to test.
jfrickson

Re: I can't understand how nrpe 2.16 should be installed

Post by jfrickson »

nihvel wrote:key, csr and crt are on the server and the client's only got server's crt in its configuration. Isn't it supposed to be like this?
Actually, it's a client certificate, so the server only needs the CA certificate, and the client needs all three. (I think. Can't log into my workstation, so I can't check, but I'm pretty sure that's right.)
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

jfrickson wrote:
nihvel wrote:key, csr and crt are on the server and the client's only got server's crt in its configuration. Isn't it supposed to be like this?
Actually, it's a client certificate, so the server only needs the CA certificate, and the client needs all three. (I think. Can't log into my workstation, so I can't check, but I'm pretty sure that's right.)
Alright.. so I read again what's in README.SSL.MD:
Note that the client certs must be signed by the CA cert specified in the ssl_cacert_file directive.
So I create a key on the server and will self-sign this certificate:
## Server

Code: Select all

openssl genrsa -out serverCA.key 2048
openssl req -x509 -new -nodes -key serverCA.key -days 1024 -out serverCA.pem
## copy serverCA.key and serverCA.pem to one of the clients
I used filezilla.. easy..

Code: Select all

ll /home/user/ssl
-rw-rw-r-- 1 user user 1675 Dec 17 10:14 serverCA.key
-rw-rw-r-- 1 user user 1383 Dec 17 10:14 serverCA.pem
(don't mind permissions etc, it's ultra testing env.)

## Creating a key and a csr for the client

Code: Select all

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
Where "common name" will be the ip address of the server: 192.168.10.215 in my case

## Create and sign client cert using server's cert and key

Code: Select all

openssl x509 -req -in client.csr -CA serverCA.pem -CAkey serverCA.key -CAcreateserial -out client.crt -days 365
ls
client.crt  client.csr  client.key  serverCA.key  serverCA.pem  serverCA.srl
## Copy all client's to /usr/local/nagios/cert because I'm storing them here

Code: Select all

cp device.* /usr/local/nagios/cert/
## nrpe.cfg - Server

Code: Select all

ssl_version=TLSv1.2+
ssl_use_adh=1
ssl_cipher_list=ALL:!MD5:@STRENGTH
ssl_cacert_file=/usr/local/nagios/cert/serverCA.pem
#ssl_cert_file=/usr/local/nagios/cert/
ssl_privatekey_file=/usr/local/nagios/cert/serverCA.key
ssl_client_certs=2
## nrpe.cfg - Client

Code: Select all

ssl_version=TLSv1.2+
ssl_use_adh=1
ssl_cipher_list=ALL:!MD5:@STRENGTH
ssl_cacert_file=/usr/local/nagios/cert/client.crt
ssl_cert_file=/usr/local/nagios/cert/client.csr
ssl_privatekey_file=/usr/local/nagios/cert/client.key
ssl_client_certs=2

Log of client when, from the server, I'm sending a simple check like ./check_nrpe -H 192.168.10.219

Code: Select all

Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL Certificate File: /usr/local/nagios/cert/client.csr
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL Private Key File: /usr/local/nagios/cert/client.key
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL CA Certificate File: /usr/local/nagios/cert/client.crt
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL Allow ADH: Allow
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL Client Certs: Require
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL Log Options: 0xff
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: SSL Version: TLSv1_2_plus And Above
Dec 17 10:41:42 ubuntu-test3 nrpe[1465]: Error: could not use certificate file '/usr/local/nagios/cert/client.csr'
Do you gents have an idea why the error is on the client.csr?


EDIT:
I set on the client "ssl_client_certs=1" and commented both on the key and csr.

Code: Select all

Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Certificate File: None
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Private Key File: None
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL CA Certificate File: /usr/local/nagios/cert/client.crt
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Cipher List: ALL:!MD5:@STRENGTH
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Allow ADH: Allow
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Client Certs: Accept
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Log Options: 0xff
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Version: TLSv1_2_plus And Above
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: Remote  - SSL Version: TLSv1.2
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: Remote  - TLSv1/SSLv3, Cipher is ADH-AES256-GCM-SHA384
Dec 17 12:30:09 ubuntu-test3 nrpe[1732]: SSL Client  did not present a certificate
It is working, but I don't know why. Probably because:
A. It works because I disabled the check/require of the certificate from the client to the server (so the client is not acting like it's the server asking to the server a cert.. ??!?)
B. It works because I disabled the check of the certificate at all (shouldn't be like that because the clients loads the client.crt.. I suppose this means that it also uses it..)

EDIT2:
B. It works because it just ask for a certificate and does not require. Just checked. So at this point I guess the problem is in my cert?
And, the settings on the server must be exaclty the same on the clients. True?


I'll be waiting for your reply, thanks for checking and patience, again!
I'm testing nrpe for 3.5 weeks exactly today and my colleague still hasn't gotten a good review from me
jfrickson

Re: I can't understand how nrpe 2.16 should be installed

Post by jfrickson »

I shouldn't post just before going to bed. Both ends should really have certificates.

I added an Example section to README.SSL.md. It hasn't been fully vetted yet, so there might be a few problems with it. But it should get you going.

https://raw.githubusercontent.com/Nagio ... DME.SSL.md
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

jfrickson wrote:I shouldn't post just before going to bed. Both ends should really have certificates.

I added an Example section to README.SSL.md. It hasn't been fully vetted yet, so there might be a few problems with it. But it should get you going.

https://raw.githubusercontent.com/Nagio ... DME.SSL.md
Wonderful! :D :D
There's a few typo error:

Code: Select all

cd /usr/local/nagios/etc/ssl
mkdir demoCA
mkdir demoCA/newcerts
touch index.txt
echo "01" > demoCA/serial
This will create the index.txt inside "ssl" and the last command can not complete: chmod 600 demoCA/index.txt

Code: Select all

cd /usr/local/nagios/etc/ssl
        openssl ca -days 365 -notext -md sha256 \
           -keyfile ca/ca_key.pem -cert ca/ca_cert.pem \
           -in server_certs/db_server.csr \
           -out server_certs/db_server.pem \
This last "\" is too much and breaks the code :/

Code: Select all

openssl ca -extension usr_cert -days 365 -notext -md sha256 \
           -keyfile ca/ca_key.pem -cert ca/ca_cert.pem \
           -in client_certs/nag_serv.csr \
           -out client_certs/nag_serv.pem \
The same "\" is here too but there's also "extension" which miss the s: extensions

Good job mate!!!! :D :D
I'm following your steps and at least the error changed now:

Code: Select all

Dec 18 11:59:32 ubuntu-test3 nrpe[4841]: Error: Could not complete SSL handshake with : peer did not return a certificate
Many and many thanks for your sample!
Locked