CHECK_NRPE Error - Could not complete SSL handshake

[cmgui]

Hi All

We downloaded and installed Nagios core nagios-4.4.2 from source on Ubuntu recently. We also installed nrpe-3.2.1 from source following the instructions here: https://support.nagios.com/kb/article.php?id=515#Ubuntu

We are getting this error "CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.11.5: 1" in the View Status Detail For This Host in our Nagios server website.
Also get same error when running /usr/local/nagios/libexec/check_nrpe -H 192.168.5.5
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.5.5: 1

The Openssl version on our Nagios server is 1.1.0g, the Openssl versions on all our monitored hosts are 1.0.1f or 1.0.2g.
Is this the cause of the problem?

We downgraded the openssl on our Nagios server to 1.0.2g by following this link (2nd answer) https://askubuntu.com/questions/1067762 ... untu-18-04
But after downgrading, we redo the steps for nrpe-3.2.1 in https://support.nagios.com/kb/article.php?id=515#Ubuntu
but the "make all" did not work, and we had to revert to Openssl 1.1.0g to make it work again.

We do not really want to upgrade Openssl on all our monitored hosts because there are many of them.
And all of them are Ubuntu servers, and Ubuntu does not have the latest Openssl package for older version Ubuntu. That is, we would have to build the 1.1.0g Openssl from source.

Is this SSL handshake problem caused by Openssl 1.1.0g on the Nagios server?

Thank you

[cdienger]

Let's try to get some more information regarding the error by enabling the debug and ssl debugging options. In nrpe.cfg set:

debug=1
ssl_logging=0xff

save the changes, restart the nrpe agent and then tail /var/log/syslog while you run the check_nrpe command on the Nagios server.

[cmgui]

Thank you cdienger.

We're on to something. See log message below.

The dh key on Nagios server is 2048 bit but on our clients, it is 1024 bit (or even 512bit)?
How to change client to use dh 1024 bit?

On the Nagios server, we installed nrpe-3.2.1 from souce.
But on all our clients, we used the Ubuntu packages apt-get install nagios-nrpe-server nagios-plugins

Thank you.


root@pa037:~# /usr/local/nagios/libexec/check_nrpe -H 192.168.5.150
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.5.150: 1

root@pa037:~# tail -n 40 /var/log/syslog

Sep 27 10:54:48 pa037 check_nrpe: Error: (!log_opts) Could not complete SSL handshake with 192.168.5.150: dh key too small

[cdienger]

The older client's key is 512 bit:

https://support.nagios.com/kb/article/n ... y-519.html

I would upgrade the clients:

https://support.nagios.com/kb/article/n ... rpe-8.html

A work around would be to use the "-2" option with check_nrpe to force version 2.

[cmgui]

Thank you cdienger.
The check_nrpe -2 didn't work.
Still getting the same error: dh key too small

Upgrading all our clients is too much work. To many clients.
Maybe we will install Nagios 3 server from the Ubuntu package instead ...

check_nrpe -n also didn't work.
Got this error:
CHECK_NRPE: Receive header underflow - only -1 bytes received (4 expected).



Sep 27 18:06:03 pa037 check_nrpe: Error: (!log_opts) Could not complete SSL handshake with 192.168.5.150: dh key too small

root@pa037:/usr/local/nagios/etc/objects# vi commands.cfg
define command{
command_name check_nrpe2
command_line $USER1$/check_nrpe -2 -H $HOSTADDRESS$ -c $ARG1$
}


root@pa037:/usr/local/nagios/etc/objects# systemctl stop nagios
root@pa037:/usr/local/nagios/etc/objects# systemctl start nagios
root@pa037:/usr/local/nagios/etc/objects# /usr/local/nagios/libexec/check_nrpe -H 192.168.5.150
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.5.150: 1

[cdienger]

The command was updated, but was the service's config updated to use check_nrpe2 ? Have you manually run the command:

/usr/local/nagios/libexec/check_nrpe -H 192.168.5.150 -2

?

[cmgui]

Yes, I did run /usr/local/nagios/libexec/check_nrpe -H 192.168.5.150 -2

Looks like the -2 option is not working? Or forcing it to sslv2 doesn't make it use 512 bit dh ?

Thank you once again cdienger.

root@pa037:/usr/local/nagios/etc/objects# /usr/local/nagios/libexec/check_nrpe -H 192.168.5.150 -2
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.5.150: 1
root@pa037:/usr/local/nagios/etc/objects#


root@pa037:/usr/local/nagios/etc/objects# tail -n 40 /var/log/syslog

Sep 28 11:03:39 pa037 check_nrpe: Error: (!log_opts) Could not complete SSL handshake with 192.168.5.150: dh key too small

Somehow our hosts.cfg file is using check_nrpe2 but in our commands.cfg file, we point check_nrpe to command_line $USER1$/check_nrpe -2 -H $HOSTADDRESS$ -c $ARG1$

[cdienger]

Going back to the -n option, both the check_nrpe command must use this and the agent must be started with it. Was the agent running with this option? While it removes all encryption, we should be able to avoid this error if we disable it.

[cmgui]

Thank you cdienger!

I ran the nrpe agent daemon on the monitored host with -n, and now check_nrpe on Nagios works!

/usr/local/nagios/libexec/check_nrpe -H 192.168.5.150 -n
NRPE v2.15

Thank you once again, but I think I will install from the Nagios 3 Ubuntu package like we used to do before, so that we do not need to upgrade all our clients to use 2048bit dh.



On 192.168.5.150
root@fxwp:/etc/init.d# vi nagios-nrpe-server
log_daemon_msg "Starting $DESC" "$NAME"
start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $DAEMON_OPTS -n
log_end_msg $?
root@fxwp:/etc/init.d# service nagios-nrpe-server stop
* Stopping nagios-nrpe nagios-nrpe [ OK ]
root@fxwp:/etc/init.d# service nagios-nrpe-server start
* Starting nagios-nrpe nagios-nrpe

root@pa037:~# /usr/local/nagios/libexec/check_nrpe -H 192.168.5.150 -n
NRPE v2.15
root@pa037:~#

[cdienger]

Thanks for the update! Locking thread.