I can't understand how nrpe 2.16 should be installed

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
User avatar
Box293
Too Basu
Posts: 5126
Joined: Sun Feb 07, 2010 10:55 pm
Location: Deniliquin, Australia
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by Box293 »

nihvel wrote:I only have one more question:
How come if I edit nrpe.cfg with the path of certificates, the command ./check_nrpe -H ip -c command does not work resulting in an ssl handshake error, and when I send the command with certificates option included, it does?
jfrickson wrote:check_nrpe does not read the nrpe.cfg. It only uses command-line arguments. That might explain some of your problems if you were expecting check_nrpe to use what is in the config file.
I created a request on GitHub for the check_nrpe plugin to be able to use a config file:
https://github.com/NagiosEnterprises/nrpe/issues/34
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

jfrickson wrote:
nihvel wrote:I only have one more question:
How come if I edit nrpe.cfg with the path of certificates, the command ./check_nrpe -H ip -c command does not work resulting in an ssl handshake error, and when I send the command with certificates option included, it does?
check_nrpe does not read the nrpe.cfg. It only uses command-line arguments. That might explain some of your problems if you were expecting check_nrpe to use what is in the config file.
nihvel wrote:Ok, two more questions:
I know that this is silly but I need to report everything to colleagues. I can't see crypted packets from wireshark. How can I check and really show to them that the connection is ciphered? Because just sayin "it use certificate trust me it is" does not help me. I need to show that it really is. And wireshark is not helping me because all I see is TCP. Ok that a few "plain text" packages there will always be, but I do not see any tls/ssl
Two things you can tell them. First, all NRPE communication between the client and the server is plain text. If you run a check_load command, the output will be something like

Code: Select all

OK - load average: 0.09, 0.16, 0.14|load1=0.090;0.750;1.500;0; load5=0.160;0.500;1.250;0; load15=0.140;0.250;1.000;0;
If you don't see any packets with that kind of text, then it's encrypted.

Second, if you have ssl_logging=0x2f turned on in the nrpe.cfg file and -s 0x2f on the check_nrpe command line, syslog will tell you. For example, below is the log entries from a check I ran. Notice in particular the line Remote - TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384. That says it's communicating using TLSv1/SSLv3 and the connection is encrypted with the cipher DHE-RSA-AES256-GCM-SHA384. The RSA part indicates it's public-key encryption. AES256 means it's using 256-bit AES encryption. SHA384 means it's using a 384-bit SHA hash. The details of both the client and server certificates is also shown.

Code: Select all

2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Certificate File: /usr/local/nagios/etc/ssl/client_certs/nag_serv.pem
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Private Key File: /usr/local/nagios/etc/ssl/client_certs/nag_serv.key
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL CA Certificate File: /usr/local/nagios/etc/ssl/ca/ca_cert.pem
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Cipher List: ALL:!MD5:@STRENGTH
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Allow ADH: Allow
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Log Options: 0xff
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Version: TLSv1_plus And Above
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Connected to 127.0.0.1
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Certificate File: /usr/local/nagios/etc/ssl/server_certs/db_server.pem
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Private Key File: /usr/local/nagios/etc/ssl/server_certs/db_server.key
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL CA Certificate File: /usr/local/nagios/etc/ssl/ca/ca_cert.pem
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Cipher List: ALL:!MD5:@STRENGTH
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Allow ADH: Allow
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Client Certs: Require
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Log Options: 0x2f
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Version: TLSv1 And Above
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: Remote  - SSL Version: TLSv1.2
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: Remote  - TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Client  Cert Name: /C=US/ST=Minnesota/O=Internet Widgits Pty Ltd/OU=IT/CN=nag_serv/emailAddress=jfrickson@nagios.com
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Client  Cert Issuer: /C=US/ST=Minnesota/L=St. Paul/O=Internet Widgits Pty Ltd/OU=IWP Certificate Authority/CN=IPW Nagios CA/emailAddress=jfrickson@nagios.com
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Remote 127.0.0.1 - SSL Version: TLSv1.2
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Remote 127.0.0.1 - TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL 127.0.0.1 has a valid certificate
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL 127.0.0.1 Cert Name: /C=US/ST=Minnesota/O=Internet Widgits Pty Ltd/OU=IT/CN=db_server/emailAddress=jfrickson@nagios.com
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL 127.0.0.1 Cert Issuer: /C=US/ST=Minnesota/L=St. Paul/O=Internet Widgits Pty Ltd/OU=IWP Certificate Authority/CN=IPW Nagios CA/emailAddress=jfrickson@nagios.com
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Remote 127.0.0.1 accepted a Version 3 Packet
That should satisfy them.
Wonderful! And I have the same log too but at least I know now how to read it! Thank you!
Box293 wrote:
nihvel wrote:I only have one more question:
How come if I edit nrpe.cfg with the path of certificates, the command ./check_nrpe -H ip -c command does not work resulting in an ssl handshake error, and when I send the command with certificates option included, it does?
jfrickson wrote:check_nrpe does not read the nrpe.cfg. It only uses command-line arguments. That might explain some of your problems if you were expecting check_nrpe to use what is in the config file.
I created a request on GitHub for the check_nrpe plugin to be able to use a config file:
https://github.com/NagiosEnterprises/nrpe/issues/34
I'm sure this request is welcome! It all started also because I thought nrpe.cfg was the one and only way to configure the command check_nrpe, and that check_nrpe -options were just to troubleshoot.. Silly me!
You guys helped me a lot thank you again and since it's 24th today, Merry Christmas everybody!
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by hsmith »

Merry Christmas to you as well. Is this one working for you yet? Looking through this I can't tell for sure if it is resolved or not.
Former Nagios Employee.
me.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

hsmith wrote:Merry Christmas to you as well. Is this one working for you yet? Looking through this I can't tell for sure if it is resolved or not.
Yes it is solved 8-) Good job! Thanks
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by hsmith »

Awesome! Glad to hear that is working for you now. Would you like me to close the thread?
Former Nagios Employee.
me.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

When there's something not working on Linux, it's 99% permissions problem. It applies the dac so damn well.
Yes please you may close it now! :D
Locked