Strange NRPE behaviour.

This forum is intended for the discussion of Nagios plugin development. Feature requests, patches, bug fixes, and all types of development-related discussions are welcome!

NOTE: The SourceForge.net nagiosplug-devel mailing list has been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Re: Strange NRPE behaviour.

Postby as300182 » Mon Nov 06, 2017 5:24 am

Unfortunately, trying on 127.0.0.1 just fails with a certificate error as we don't have one on localhost.

Code: Select all
[Mon Nov 06 10:19:04 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 2/2 bytes from BIO#1154c9f0 [mem: 11550009] (BIO dump follows)


However, I did manage to get something from the apache error log when I tried the normal command.

Code: Select all
[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] Connection to child 9 established (server test-server1.com:443)
[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] Connection to child 2 established (server test-server1.com:443)
[Mon Nov 06 10:14:59 2017] [info] Seeding PRNG with 1024 bytes of entropy
[Mon Nov 06 10:14:59 2017] [info] Seeding PRNG with 1024 bytes of entropy
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/accept initialization
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 11 bytes expected to read on BIO#11548950 [mem: 11550000]
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/accept initialization
[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] Connection closed to child 9 with abortive shutdown (server test-server1.com:443)
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 9/11 bytes from BIO#11548950 [mem: 11550000] (BIO dump follows)
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1869): | 0000: 47 45 54 20 2f 0d 0a 0d-0a                       GET /....        |
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+




To me the root cause is obvious, I just don't know how to fix it. The command works fine from the command line but not when run inside the NRPE shell, so it's obviously something to do with the shell. Perhaps I need to re-build NRPE with some specific switches? I do hope the above helps?

Thanks for all your efforts so far. :)
as300182
 
Posts: 32
Joined: Tue May 17, 2016 8:09 am

Re: Strange NRPE behaviour.

Postby npolovenko » Mon Nov 06, 2017 4:33 pm

Hello, @as300182 .

I think SSL protocol may not the cause of the problem. 1. SSL settings in NRPE would usually regulate how Nagios Server and NRPE remote server communicate. You'd also need to create certificates, put them in the right directories and change the NRPE command to use SSL. You can read this manual https://support.nagios.com/kb/article.php?id=519.
In this case, you're just trying to run the same plugin, from the same server, but using nrpe daemon.

In your file.cfg please change the command:
command[check_apache]=/usr/local/nagios/libexec/check_apachestatus.pl -H  127.0.0.1 -p 443
back to
command[check_apache]=/usr/local/nagios/libexec/check_apachestatus.pl -H  test-server1.com -p 443
Since we want to test apachestatus on the server and not on a localhost.

Now let's try to run the plugin locally, as nrpe user to see what's going on:
Code: Select all
su - nrpe
/usr/local/nagios/libexec/check_apachestatus.pl -H  test-server1.com -p 443


Do you get any errors or do you get an expected output?

Finally, let's check the permissions for this plugin:
Code: Select all
ls -l /usr/local/nagios/libexec/check_apachestatus.pl
User avatar
npolovenko
 
Posts: 559
Joined: Mon May 15, 2017 5:00 pm

Re: Strange NRPE behaviour.

Postby as300182 » Thu Nov 16, 2017 7:56 am

Thanks for your patience so far, but that makes no difference, and to be honest, makes no sense. Almost any command relating to check_apache works from the command line but not when run inside NRPE. So this isn't a script issue or a nrpe config issue, but an issue with what happens to this command inside a NRPE shell.

That's what I need to get to the bottom of. What security protocols are not being met when I run the command via the NRPE shell, and how can I resolve them. As I said before, tlsv1 and tlsv1.1 are disabled on the server so my best guess is that NRPE is not able to communicate on tlsv1.2. But I don't know how to make this work, assuming it is even possible. If I re-enable tls1 and 1.1 then NRPE works so is it possible to make NRPE use tlsv1.2, and if so, how please?

Thanks.
as300182
 
Posts: 32
Joined: Tue May 17, 2016 8:09 am

Re: Strange NRPE behaviour.

Postby tgriep » Thu Nov 16, 2017 3:20 pm

Couple of things, I see, the output of the ps -ef from your earlier post shows the NRPE Agent is running as the nagios user so the nagios user has to be able to run that plugin.
FYI, all plugins ran by the Agent run as either the nagios user or the nrpe user depending on how it is setup.

So, lets change the permissions on the plugin by running the following.
Code: Select all
chown nagios.nagios /usr/local/nagios/libexec/check_apachestatus.pl
chmod ug+rwx /usr/local/nagios/libexec/check_apachestatus.pl


That should fix that.
Another thing is if that plugin requires Perl modules and the root account can access the modules but the nagios user cannot, that could be another issue.

Last thing, the top line of the plugin has the following path to the perl application.
Code: Select all
#! /opt/connect/tools/bin/perl


Verify that is correct and update it as necessary.

Put the command in the nrpe,cfg file back to this
Code: Select all
command[check_apache]=/usr/local/nagios/libexec/check_apachestatus.pl -H  test-server1.com -p 443

Restart the NRPE agent and see if it works.
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 6195
Joined: Thu Oct 30, 2014 9:02 am

Previous

Return to Nagios Plugin Development

Who is online

Users browsing this forum: No registered users and 2 guests