Hello,
I would like to configure NSClient for Certficate authentication to reach a Nagios Core server.
I did configured the NSClient this way :
- Allowed host : My Nagios Core server address
- Enable common check plugins
- Enable NRPE server (check_nrpe)
Safe mode (Use certificates for encryption but not authentication
After that, I've got an SSL handshake error.
Do you have any clue ?
Thanks !
NSClient Certificate Authentication (SSL) not working
-
AlexandreGPF
- Posts: 1
- Joined: Wed Nov 25, 2020 4:03 am
Re: NSClient Certificate Authentication (SSL) not working
Hello there, I'm newbie on this but I was having kind of the same problem and depending on your environments and SW version this might / might not work for you. In my case I was using Nagios Core on Ubuntu Machine and Windows Machine running NSClient++
Basically there seems to be a problem with Nagios Core SSL Certificate (apparently it uses 2048 bits instead of 512 used on client side), so you need to create a .pem file on client side.
I don't see Server/client/versions details on your post but here what I had to do:
on Ubuntu machine running Nagios Core:
run the command openssl dhparam -C 2048 it might take some time and givee you a lot of or "." lines wait for the end where you see something like this:
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAyBdDY9YPx+F7XnjL4BgfueVY7HghSMLzKTp968jabV9VUHa3RP09
xxhV0fUDY/4vu42I8NEqb0iuwa/JfT8x7PPheUoFfLEC1Te8qYkQfzSJggzsJT9V
pv/vVqQQmJznnwzxss6kYIxgeWCg40XzlHs6b2rxdfiOiPb01zIW1n+yrprsrElb
fgymW4kfeje4xa2pNtcZ1RTHryjd3jUJ0xI+rtXG1K2wfSMVx4OpnRtiRXfgCLhH
tOHPcCY86DcdIBYFP2J02pepanYbCBNBJLMXMO5RCddIG8gArSBq8jRhrflkHsuk
7QsWY5vVozNGjbjvysLrpWfC/AUiZD3aqwIBAg==
-----END DH PARAMETERS-----
On the windows machine create the file C:\Program Files\NSClient++\security\nrpe_dh_2048.pem and paste the key just created into it (like the one above).
Next you need to tell NSClient++ to use it.
On nsclient.ini
; DH KEY -
dh = C:\Program Files\NSClient++/security/nrpe_dh_2048.pem
and of course restart service on client side.
here the link with all the info:
https://github.com/NagiosEnterprises/nrpe/issues/173
Again I'm just starting myself on this Nagios world but I hope at least this point you in the right direction.
Regards,
Basically there seems to be a problem with Nagios Core SSL Certificate (apparently it uses 2048 bits instead of 512 used on client side), so you need to create a .pem file on client side.
I don't see Server/client/versions details on your post but here what I had to do:
on Ubuntu machine running Nagios Core:
run the command openssl dhparam -C 2048 it might take some time and givee you a lot of or "." lines wait for the end where you see something like this:
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAyBdDY9YPx+F7XnjL4BgfueVY7HghSMLzKTp968jabV9VUHa3RP09
xxhV0fUDY/4vu42I8NEqb0iuwa/JfT8x7PPheUoFfLEC1Te8qYkQfzSJggzsJT9V
pv/vVqQQmJznnwzxss6kYIxgeWCg40XzlHs6b2rxdfiOiPb01zIW1n+yrprsrElb
fgymW4kfeje4xa2pNtcZ1RTHryjd3jUJ0xI+rtXG1K2wfSMVx4OpnRtiRXfgCLhH
tOHPcCY86DcdIBYFP2J02pepanYbCBNBJLMXMO5RCddIG8gArSBq8jRhrflkHsuk
7QsWY5vVozNGjbjvysLrpWfC/AUiZD3aqwIBAg==
-----END DH PARAMETERS-----
On the windows machine create the file C:\Program Files\NSClient++\security\nrpe_dh_2048.pem and paste the key just created into it (like the one above).
Next you need to tell NSClient++ to use it.
On nsclient.ini
; DH KEY -
dh = C:\Program Files\NSClient++/security/nrpe_dh_2048.pem
and of course restart service on client side.
here the link with all the info:
https://github.com/NagiosEnterprises/nrpe/issues/173
Again I'm just starting myself on this Nagios world but I hope at least this point you in the right direction.
Regards,