Check_NRPE issues on Debian 9 Stretch

[brianbelden]

Hello,

This is the first time posting here after days of failed research into this issue. So I have Nagios3 running on a Debian server which monitors multiple client servers on our network. Some of the machines being monitored are Debian machines as well as some windows. On one of our debian servers being monitored, I upgraded to Debian 9 Stretch, and now the Check_NRPE fails with the "Could not complete SSL handshake" return. According to what I have researched online is that the changed is with OpenSSL with Debian 9 and one way to fix this is to create Certs for the Client and the server, but ideally I would like to avoid creating certs for every machine being monitored. I have read of some people using the Check_NRPE argument "-n" which disables SSL, but I have not had much luck with this either. If anyone has experienced this issue and has the workaround that would be great.

Thanks

[bolson]

Hello brianbelden,

As a practical matter, whenever you upgrade your OS to a new "major" release, it's advisable to recompile your plugins. The reason for this is that the configure script checks for various specs including build environment, dependency versions, etc. You always want to make sure that the plugins are compiled in such a way as to take your environment into account.

Thank you!

[brianbelden]

This article right here explains the problem a little better then I did. Take a look over this and tell me what you think.

https://github.com/NagiosEnterprises/nrpe/issues/113

Thanks

[bolson]

Hello brianbelden,

You're first post was correct... The issue you're having is the result of bleeding edge OSs moving to OpenSSL 1.1.x. At this point the requirement is to configure the NRPE daemon to run without SSL (-n option) or as you pointed out, to create a certificate on all of your NRPE client machines. As this is a fairly new phenomenon, at this point, these are the only two options that I'm aware of.

Thank you!

[brianbelden]

Where exactly do I need to put the "-n" option? On the monitored client in /etc/default/nagios-nrpe-server I have the command NRPE_OPTS="-n" set. That was default after upgrading to Debian 9 Stretch. Now on the server that Nagios is running on, which I have not upgraded to Debian 9, I am not sure where to put the "-n" argument. Someone said it has to be placed in the Check_nrpe daemon, but I am having trouble with this step.

Thanks for the help.

[bolson]

Hello brianbelden,

You'll need the -n option in two places....

In the command being executed, ie: check_nrpe -H x.x.x.x -c check_mem -a '-w 20 -c 10' -n

And in the xinetd.d service file /etc/xinetd.d/nrpe:

Code: Select all

server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd -n

Let me know f this works for you.

[brianbelden]

I am on Debian and I do not believe there is an /etc/xinetd.d/nrpe. Now there is an /etc/init.d/nagios-nrpe-server on the client machine being monitored. So I guess that is where that line of code would go?

[brianbelden]

Also my nrpe.cfg file is located at /etc/nagios/nrpe.cfg.

[tgriep]

Every OS and package have different way to start the agent and store the configuration files but I would assume this would be the file you need to add the -n option to.

Code: Select all

/etc/init.d/nagios-nrpe-server