NRPE SSL configuration

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
almace
Posts: 3
Joined: Fri Oct 13, 2017 9:51 pm

NRPE SSL configuration

Post by almace »

After working through this: https://support.nagios.com/kb/article.php?id=519, I've got certificates on both my nagios server and my test web host running Centos 7. With this configuration, I am able to get a successful return from check_nrpe:

Code: Select all

# SSL USE CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates (default)
#         1 = Ask for client certificates
#         2 = Require client certificates

ssl_client_certs=0
However, as soon as I set that option to 2 and restart the service to force the use of my SSL certificates, I start getting the following from my nagios server:

Code: Select all

/usr/local/nagios/libexec/check_nrpe  -H <ip>
CHECK_NRPE: Error - Could not complete SSL handshake.
Any ideas where the breakdown might be? I've searched around a bit on the forums before posting this but I've not found any solutions that worked.

Thank you.
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: NRPE SSL configuration

Post by npolovenko »

Hello, @almace.
Is your core running under xinetd or as a standalone service?

Copy his whole command and try to run it from the Nagios Servers command line. But replace the IP address with your Client's IP address(where NRPE is installed).

Code: Select all

/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 102.123.12.21
And post the output here.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
almace
Posts: 3
Joined: Fri Oct 13, 2017 9:51 pm

Re: NRPE SSL configuration

Post by almace »

My core installation is a standalone service.

That command isn't supported on my core server:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 107.170.29.197
/usr/local/nagios/libexec/check_nrpe: invalid option -- 'A'
/usr/local/nagios/libexec/check_nrpe: invalid option -- 'C'
/usr/local/nagios/libexec/check_nrpe: invalid option -- 'K'

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

Usage: check_nrpe -H <host> [ -b <bindaddr> ] [-4] [-6] [-n] [-u] [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>]

Options:
 -n         = Do no use SSL
 -u         = Make socket timeouts return an UNKNOWN state instead of CRITICAL
 <host>     = The address of the host running the NRPE daemon
 <bindaddr> = bind to local address
 -4         = user ipv4 only
 -6         = user ipv6 only
 [port]     = The port on which the daemon is running (default=5666)
 [timeout]  = Number of seconds before connection times out (default=10)
 [command]  = The name of the command that the remote daemon should run
 [arglist]  = Optional arguments that should be passed to the command.  Multiple
              arguments should be separated by a space.  If provided, this must be
              the last option supplied on the command line.

Note:
This plugin requires that you have the NRPE daemon running on the remote host.
You must also have configured the daemon to associate a specific plugin command
with the [command] option you are specifying here.  Upon receipt of the
[command] argument, the NRPE daemon will run the appropriate plugin command and
send the plugin output and return code back to *this* plugin.  This allows you
to execute plugins on remote hosts and 'fake' the results to make Nagios think
the plugin is being run locally.
dwasswa

Re: NRPE SSL configuration

Post by dwasswa »

Hi @ almace ,

I see you have a CHECK_NRPE: Error - Could Not Complete SSL Handshake error.

Follow this guide to solve that issue.
Could Not Complete SSL Handshake
almace
Posts: 3
Joined: Fri Oct 13, 2017 9:51 pm

Re: NRPE SSL configuration

Post by almace »

I did some digging on this and I was actually several versions back on NRPE. I installed the latest version and I am now able to connect to the test device:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 107.170.29.197
NRPE v3.1.1
This thread can be closed.

Thank you for the assistance.
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: NRPE SSL configuration

Post by npolovenko »

That's great! And remember to change your check nrpe command in XI to pass the certificates as well.
screenshot-192.168.4.172-2017-10-17-15-58-21-249.png
to

Code: Select all

$USER1$/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
Closing the topic.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked