Page 2 of 2

Re: Strange NRPE behaviour.

Posted: Mon Nov 06, 2017 5:24 am
by as300182
Unfortunately, trying on 127.0.0.1 just fails with a certificate error as we don't have one on localhost.

Code: Select all

[Mon Nov 06 10:19:04 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 2/2 bytes from BIO#1154c9f0 [mem: 11550009] (BIO dump follows)
However, I did manage to get something from the apache error log when I tried the normal command.

Code: Select all

[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] Connection to child 9 established (server test-server1.com:443)
[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] Connection to child 2 established (server test-server1.com:443)
[Mon Nov 06 10:14:59 2017] [info] Seeding PRNG with 1024 bytes of entropy
[Mon Nov 06 10:14:59 2017] [info] Seeding PRNG with 1024 bytes of entropy
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/accept initialization
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 11 bytes expected to read on BIO#11548950 [mem: 11550000]
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/accept initialization
[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Nov 06 10:14:59 2017] [info] [client 10.1.1.75] Connection closed to child 9 with abortive shutdown (server test-server1.com:443)
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1897): OpenSSL: read 9/11 bytes from BIO#11548950 [mem: 11550000] (BIO dump follows)
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1869): | 0000: 47 45 54 20 2f 0d 0a 0d-0a                       GET /....        |
[Mon Nov 06 10:14:59 2017] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+


To me the root cause is obvious, I just don't know how to fix it. The command works fine from the command line but not when run inside the NRPE shell, so it's obviously something to do with the shell. Perhaps I need to re-build NRPE with some specific switches? I do hope the above helps?

Thanks for all your efforts so far. :)

Re: Strange NRPE behaviour.

Posted: Mon Nov 06, 2017 4:33 pm
by npolovenko
Hello, @as300182 .

I think SSL protocol may not the cause of the problem. 1. SSL settings in NRPE would usually regulate how Nagios Server and NRPE remote server communicate. You'd also need to create certificates, put them in the right directories and change the NRPE command to use SSL. You can read this manual https://support.nagios.com/kb/article.php?id=519.
In this case, you're just trying to run the same plugin, from the same server, but using nrpe daemon.

In your file.cfg please change the command:
command[check_apache]=/usr/local/nagios/libexec/check_apachestatus.pl -H  127.0.0.1 -p 443
back to
command[check_apache]=/usr/local/nagios/libexec/check_apachestatus.pl -H  test-server1.com -p 443
Since we want to test apachestatus on the server and not on a localhost.

Now let's try to run the plugin locally, as nrpe user to see what's going on:

Code: Select all

su - nrpe
/usr/local/nagios/libexec/check_apachestatus.pl -H  test-server1.com -p 443
Do you get any errors or do you get an expected output?

Finally, let's check the permissions for this plugin:

Code: Select all

ls -l /usr/local/nagios/libexec/check_apachestatus.pl

Re: Strange NRPE behaviour.

Posted: Thu Nov 16, 2017 7:56 am
by as300182
Thanks for your patience so far, but that makes no difference, and to be honest, makes no sense. Almost any command relating to check_apache works from the command line but not when run inside NRPE. So this isn't a script issue or a nrpe config issue, but an issue with what happens to this command inside a NRPE shell.

That's what I need to get to the bottom of. What security protocols are not being met when I run the command via the NRPE shell, and how can I resolve them. As I said before, tlsv1 and tlsv1.1 are disabled on the server so my best guess is that NRPE is not able to communicate on tlsv1.2. But I don't know how to make this work, assuming it is even possible. If I re-enable tls1 and 1.1 then NRPE works so is it possible to make NRPE use tlsv1.2, and if so, how please?

Thanks.

Re: Strange NRPE behaviour.

Posted: Thu Nov 16, 2017 3:20 pm
by tgriep
Couple of things, I see, the output of the ps -ef from your earlier post shows the NRPE Agent is running as the nagios user so the nagios user has to be able to run that plugin.
FYI, all plugins ran by the Agent run as either the nagios user or the nrpe user depending on how it is setup.

So, lets change the permissions on the plugin by running the following.

Code: Select all

chown nagios.nagios /usr/local/nagios/libexec/check_apachestatus.pl
chmod ug+rwx /usr/local/nagios/libexec/check_apachestatus.pl
That should fix that.
Another thing is if that plugin requires Perl modules and the root account can access the modules but the nagios user cannot, that could be another issue.

Last thing, the top line of the plugin has the following path to the perl application.

Code: Select all

#! /opt/connect/tools/bin/perl
Verify that is correct and update it as necessary.

Put the command in the nrpe,cfg file back to this

Code: Select all

command[check_apache]=/usr/local/nagios/libexec/check_apachestatus.pl -H  test-server1.com -p 443
Restart the NRPE agent and see if it works.