Disabling SSL in REALLY old Nagios self compiled setup

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ddolecki108 » Thu Apr 20, 2017 12:39 pm

This definitely has something to do with SSL and more particularly not using SSL.
So, there are two types of nagios client machines, one type has wealer ciphers enabled and another, newer type has only stronger ciphers.

the "-n" is failing on both.

With a client with weak ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H weakcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H weakcipherservername
NRPE v2.15

With a client with strong ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H strongcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H strongcipherservername
CHECK_NRPE: Error - Could not complete SSL handshake.
ddolecki108
 
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby tgriep » Thu Apr 20, 2017 12:46 pm

If you want to compile the NRPE Agent without SSL, you would use the following example.
Code: Select all
./configure --enable-command-args --disable-ssl


You also may want to look at this KB article for making the older and newer versions of NRPE to work together.
https://support.nagios.com/kb/article.php?id=516
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 5653
Joined: Thu Oct 30, 2014 9:02 am

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ddolecki108 » Thu Apr 20, 2017 1:07 pm

Thanks for the input. Compiling nrpe to not use ssl is not an option.

I followd the knowledgebase artice for making different nrpe's work together and got this:

~]# /usr/local/nagios/libexec/check_nrpe -2 -H strongcipherservername
/usr/local/nagios/libexec/check_nrpe: invalid option -- 2

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
ddolecki108
 
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby tgriep » Thu Apr 20, 2017 1:56 pm

I want to verify that you are using the old version of the check_nrpe (Version 2.15) and you want to connect to the new 3.x.x NRPE Agent, is that correct?
Can you post your nrpe.cfg file from one of the system using the new NRPE Agent?
Also, can you check the /var/log/messages file for any errors when you run the check_nrpe test and post them as well.

What OS and release is the system running you are trying to install the Agent on?
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 5653
Joined: Thu Oct 30, 2014 9:02 am

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ddolecki108 » Thu Apr 20, 2017 2:25 pm

I think that the Nagios server check_nrpe version is 2.12
the nrpe.cfg file is at: https://pastebin.com/8dmUnfBL
nothing in /var/log/messages on the Nagios server

Nagios server:
[lnxvm02:~]# uname -a
Linux 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 i386 GNU/Linux


Nagios client:
Linux 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 x86_64 GNU/Linux
ddolecki108
 
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ddolecki108 » Thu Apr 20, 2017 3:14 pm

I guess compiling NRPE w/o SSL is an option on the new strong cipher servers, and the Nagios server is able to connect using the -n switch.

How do I modify the Nagios configuration file to pass the "-n" switch to ONLY those new strong cipher servers?

current checks look like this:

###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################

#### Server template ####

define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}

# Disk checking definitions

define service{
use generic-servername
service_description root
check_command check_nrpe!check_root
}

define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot
}

define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp
ddolecki108
 
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ssax » Thu Apr 20, 2017 4:47 pm

Please post your command definition for check_nrpe so that we can help you adjust them.

Thank you
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
ssax
Dreams In Code
 
Posts: 2947
Joined: Wed Feb 11, 2015 12:54 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ddolecki108 » Thu Apr 20, 2017 7:19 pm

Some Nagios clients are fine with SSL enabled while it is disabled on others.
ddolecki108
 
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ddolecki108 » Fri Apr 21, 2017 7:18 am

commands.cfg attached
Attachments
commands.cfg
(8.42 KiB) Downloaded 8 times
ddolecki108
 
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Postby ssax » Fri Apr 21, 2017 9:07 am

Try this:

Code: Select all
###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################

#### Server template ####

define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}

# Disk checking definitions

define service{
use generic-servername
service_description root
check_command check_nrpe!check_root -n
}

define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot -n
}

define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp -n
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
ssax
Dreams In Code
 
Posts: 2947
Joined: Wed Feb 11, 2015 12:54 pm

Previous

Return to Nagios Core

Who is online

Users browsing this forum: Google [Bot], mcapra, sartecat, tmattingly and 16 guests