Page 2 of 2

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 12:39 pm
by ddolecki108
This definitely has something to do with SSL and more particularly not using SSL.
So, there are two types of nagios client machines, one type has wealer ciphers enabled and another, newer type has only stronger ciphers.

the "-n" is failing on both.

With a client with weak ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H weakcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H weakcipherservername
NRPE v2.15

With a client with strong ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H strongcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H strongcipherservername
CHECK_NRPE: Error - Could not complete SSL handshake.

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 12:46 pm
by tgriep
If you want to compile the NRPE Agent without SSL, you would use the following example.

Code: Select all

./configure --enable-command-args --disable-ssl
You also may want to look at this KB article for making the older and newer versions of NRPE to work together.
https://support.nagios.com/kb/article.php?id=516

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 1:07 pm
by ddolecki108
Thanks for the input. Compiling nrpe to not use ssl is not an option.

I followd the knowledgebase artice for making different nrpe's work together and got this:

~]# /usr/local/nagios/libexec/check_nrpe -2 -H strongcipherservername
/usr/local/nagios/libexec/check_nrpe: invalid option -- 2

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 1:56 pm
by tgriep
I want to verify that you are using the old version of the check_nrpe (Version 2.15) and you want to connect to the new 3.x.x NRPE Agent, is that correct?
Can you post your nrpe.cfg file from one of the system using the new NRPE Agent?
Also, can you check the /var/log/messages file for any errors when you run the check_nrpe test and post them as well.

What OS and release is the system running you are trying to install the Agent on?

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 2:25 pm
by ddolecki108
I think that the Nagios server check_nrpe version is 2.12
the nrpe.cfg file is at: https://pastebin.com/8dmUnfBL
nothing in /var/log/messages on the Nagios server

Nagios server:
[lnxvm02:~]# uname -a
Linux 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 i386 GNU/Linux


Nagios client:
Linux 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 3:14 pm
by ddolecki108
I guess compiling NRPE w/o SSL is an option on the new strong cipher servers, and the Nagios server is able to connect using the -n switch.

How do I modify the Nagios configuration file to pass the "-n" switch to ONLY those new strong cipher servers?

current checks look like this:

###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################

#### Server template ####

define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}

# Disk checking definitions

define service{
use generic-servername
service_description root
check_command check_nrpe!check_root
}

define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot
}

define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 4:47 pm
by ssax
Please post your command definition for check_nrpe so that we can help you adjust them.

Thank you

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Thu Apr 20, 2017 7:19 pm
by ddolecki108
Some Nagios clients are fine with SSL enabled while it is disabled on others.

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Fri Apr 21, 2017 7:18 am
by ddolecki108
commands.cfg attached

Re: Disabling SSL in REALLY old Nagios self compiled setup

Posted: Fri Apr 21, 2017 9:07 am
by ssax
Try this:

Code: Select all

###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################

#### Server template ####

define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}

# Disk checking definitions

define service{
use generic-servername
service_description root
check_command check_nrpe!check_root -n
}

define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot -n
}

define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp -n