I’ve got the task to configure check_nrpe on our Nagios Core 4.4.3 Server (Ubuntu 18.04) and our various Windows Servers which are running NSClient++ 0.4.4.15. We want the connection to be secured with SSL.
I've created two private keys and two certificate requests and signed them by our local CA. The certificate and key for the Nagios Server were moved to the Nagios Server and are referenced in the command, the certificate and key for the Windows Servers were moved to the Windows Server (C:\Program Files\NSClient++\security) and added to the nsclient.ini.
The problem is that whenever I try to run check_nrpe from our Nagios Server I get the error : “ CHECK_NRPE: (ssl_err != 5) Error – Could not complete SSL handshake with (Windows Server IP): 1“. The NSClient log tells me „error:c:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: sslv3 alert handshake failure: 1040“.
After going through countless forum posts the only solution I found is to disable SSL alltogether, which I do not want. I’ve tried that anyways just to see if it works that way, but I couldnt get that to work either and got a Socket Timeout after 10 seconds.
Here is my nsclient.ini:
Code: Select all
; Undocumented section
[/settings/default]
; Undocumented key
password = (Password)
; Undocumented key
allowed hosts = 127.0.0.1,(Nagios Server IP)
; Undocumented section
[/settings/NRPE/server]
; Undocumented key
allow arguments = true
; Undocumented key
allow nasty characters = true
; Undocumented key
use ssl = true
; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0
; Undocumented key
verify mode = peer-cert
; Undocumented key
insecure = true
; Undocumented key
certificate key = C:\Program Files\NSClient++\security\check_nrpe.key
; Undocumented key
certificate = C:\Program Files\NSClient++\security\check_nrpe.cer
; Undocumented key
ca = C:\Program Files\NSClient++\security\CA.cer
; Undocumented section
[/modules]
; Undocumented key
CheckExternalScripts = 1
; Undocumented key
CheckHelpers = 1
; Undocumented key
CheckNSCP = 1
; Undocumented key
CheckDisk = 1
; Undocumented key
CheckSystem = 1
; Undocumented key
NSClientServer = 1
; Undocumented key
CheckEventLog = 1
; Undocumented key
NSCAClient = 1
; Undocumented key
NRPEServer = 1
Code: Select all
root@nagioscore:~# /usr/lib/nagios/plugins/check_nrpe -A /usr/local/nagios/etc/ssl/certificates/CA.cer –C /usr/local/nagios/etc/ssl/certificates/nagios_server.cer –K /usr/local/nagios/etc/ssl/certificates/nagios_server.key -H (Windows Server IP)
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with (Windows Server IP): 1
Code: Select all
error:c:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: sslv3 alert handshake failure: 1040
Thanks in advance!