Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake problem

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake problem

Post by emi65 »

Hi
I use
Nagios Core 4.2.1 on Red Hat Enterprise Linux Server release 6.7 (Santiago)
and I testing check_nrpe 3.2.0 client and NSCLIENT++ installed by package NSCP-0.5.0.62-x64.exe
on windows 2008 environment

in the nsclient.ini I configured
[/settings/default]
password = PWD
allowed_hosts = 10.XX.XX.XXX
[/settings/NRPE/server]

ssl options = no-sslv2,no-sslv3
verify mode = peer-cert
insecure = true

[/modules]
CheckExternalScripts = 1
CheckHelpers = 1
CheckNSCP = 1
CheckDisk = 1
CheckSystem = 1
CheckEventLog = 1
NSCAClient = 1
WEBSErver = 1
NRPEServer = 1

from my server nagios I did
./check_nrpe -H 10.209.12.176 -g log.txt
CHECK_NRPE: Error - Could not connect to 10.209.12.176: Connection reset by peer

and in the log I found
[1498732950] Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with 10.209.12.176: rc=-1 SSL-error=5
Top
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake pro

Post by tgriep »

Edit the nsclient.ini file and change the following lines under the [/settings/NRPE/server] section from

Code: Select all

ssl options = no-sslv2,no-sslv3
verify mode = peer-cert
to

Code: Select all

ssl options = 
verify mode = none
Also, add the following lines in that section if you are going to use arguments with the check_nrpe plugin and another ssl setting that is needed.

Code: Select all

use ssl = 1
allow arguments = true
allow nasty characters = true
Save the file and restart the NSClient++ service.
Those changes should allow the check_nrpe to connect to the Windows system.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Top
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake pro

Post by emi65 »

I set up your suggestion in nsclient.ini file (and then I restarted in nscliet service)
but nothing is change

[/settings/default]
password = password
allowed_hosts = NAGIO IP
[/settings/NRPE/server]
ssl options =
verify mode = none
[/modules]
CheckExternalScripts = 1
CheckHelpers = 1
CheckNSCP = 1
CheckDisk = 1
CheckSystem = 1
CheckEventLog = 1
NSCAClient = 1
WEBSErver = 1
NRPEServer = 1

./check_nrpe -H 10.209.12.176 -g log.txt
CHECK_NRPE: Error - Could not connect to 10.209.12.176: Connection reset by peer

and in the log I found
[1498739822] Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with 10.209.12.176: rc=0 SSL-error=5


I did another command
./check_nrpe -H 10.209.12.176 -n -g log.txt
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

and in the log I found
[1498808648] Remote 10.209.12.176 does not support Version 3 Packets
[1498808648] Remote 10.209.12.176 accepted a Version 2 Packet

-n, --no-ssl Do no use SSL

If I did
./check_nrpe -H 10.209.12.176 -n --v2-packets-only
I got the same message ....CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

-2, --v2-packets-only Only use version 2 packets, not version 3

Do you have any other suggestions ?

Thanks
Emilio
Top
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake pro

Post by tgriep »

It looks like too many options in the nsclient.ini file were removed from the [/settings/NRPE/server] section.
Edit the nsclient.ini file again and make sure it has all of the settings like the example below.

Code: Select all

[/settings/NRPE/server]
ssl options =
verify mode = none
insecure = true
use ssl = 1
allow arguments = true
allow nasty characters = true
Save the file and restart NSCLient++ on the Windows System
Be sure to check out our Knowledgebase for helpful articles and solutions!
Top
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake pro

Post by emi65 »

Here the only information inside the nsclient.ini

[/settings/default]
password = nagios
allowed_hosts = 127.0.0.1,10.209.50.128
[/settings/NRPE/server]
ssl options =
verify mode = none
insecure = true
use ssl = 1
allow arguments = true
allow nasty characters = true
[/modules]
NRPEServer = enabled

command from nagios unix system
./check_nrpe -H 10.209.12.176 -n -g emi.log
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

here what I found in the emi.log file
[1499067167] Remote 10.209.12.176 does not support Version 3 Packets
[1499067167] Remote 10.209.12.176 accepted a Version 2 Packet
Top
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake pro

Post by emi65 »

SOLVE

I found an error in nsclient.ini
I modified
allowed_hosts = 127.0.0.1,10.209.50.128

to
allowed hosts = 127.0.0.1,10.209.50.128

without "_"

thanks for the help
Emilio
Top
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake pro

Post by tmcdonald »

Did you have any further (related) questions or are we okay to close this thread?
Former Nagios employee
Top
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Check_nrpe 3.2.0 and NSCP-0.5.0.62-x64 SSL handshake pro

Post by emi65 »

You can close it !!!

thanks a lot
Top
Locked

Return to “Open Source Nagios Projects”