CHECK_NRPE: (ssl_err != 5) Error

[asc45]

Hello,
I’ve got the task to configure check_nrpe on our Nagios Core 4.4.3 Server (Ubuntu 18.04) and our various Windows Servers which are running NSClient++ 0.4.4.15. We want the connection to be secured with SSL.
I've created two private keys and two certificate requests and signed them by our local CA. The certificate and key for the Nagios Server were moved to the Nagios Server and are referenced in the command, the certificate and key for the Windows Servers were moved to the Windows Server (C:\Program Files\NSClient++\security) and added to the nsclient.ini.
The problem is that whenever I try to run check_nrpe from our Nagios Server I get the error : “ CHECK_NRPE: (ssl_err != 5) Error – Could not complete SSL handshake with (Windows Server IP): 1“. The NSClient log tells me „error:c:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: sslv3 alert handshake failure: 1040“.

After going through countless forum posts the only solution I found is to disable SSL alltogether, which I do not want. I’ve tried that anyways just to see if it works that way, but I couldnt get that to work either and got a Socket Timeout after 10 seconds.

Here is my nsclient.ini:

Code: Select all

; Undocumented section
[/settings/default]

; Undocumented key
password = (Password)

; Undocumented key
allowed hosts = 127.0.0.1,(Nagios Server IP)


; Undocumented section
[/settings/NRPE/server]

; Undocumented key
allow arguments = true

; Undocumented key
allow nasty characters = true

; Undocumented key
use ssl = true

; Undocumented key
ssl options = no-sslv2,no-sslv3

; Undocumented key
allowed ciphers = ALL:!MD5:@STRENGTH:@SECLEVEL=0

; Undocumented key
verify mode = peer-cert

; Undocumented key
insecure = true

; Undocumented key
certificate key = C:\Program Files\NSClient++\security\check_nrpe.key

; Undocumented key
certificate = C:\Program Files\NSClient++\security\check_nrpe.cer

; Undocumented key
ca = C:\Program Files\NSClient++\security\CA.cer


; Undocumented section
[/modules]

; Undocumented key
CheckExternalScripts = 1

; Undocumented key
CheckHelpers = 1

; Undocumented key
CheckNSCP = 1

; Undocumented key
CheckDisk = 1

; Undocumented key
CheckSystem = 1

; Undocumented key
NSClientServer = 1

; Undocumented key
CheckEventLog = 1

; Undocumented key
NSCAClient = 1

; Undocumented key
NRPEServer = 1

The Command I am running from Nagios:

Code: Select all

root@nagioscore:~# /usr/lib/nagios/plugins/check_nrpe -A /usr/local/nagios/etc/ssl/certificates/CA.cer –C /usr/local/nagios/etc/ssl/certificates/nagios_server.cer –K /usr/local/nagios/etc/ssl/certificates/nagios_server.key -H (Windows Server IP)
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with (Windows Server IP): 1

The entry in the nsclient log:

Code: Select all

error:c:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: sslv3 alert handshake failure: 1040

Any ideas on why it's not working?
Thanks in advance!

[gormank]

Your nsclient seems to be set up to disallow v3 and the error is can't use v3. Maybe remove the no-sslv3 from the file and restart nsclient.

ssl options = no-sslv2,no-sslv3

[asc45]

Thanks for the reply!

I've tried removing no-sslv3, changing the line

Code: Select all

ssl options = no-sslv2,no-sslv3

into

Code: Select all

ssl options = no-sslv2

and restarting the nscp service.

No success, im still getting the same error.

Nagios:

Code: Select all

root@sdmz2-nagioscore:~# /usr/lib/nagios/plugins/check_nrpe -A /usr/local/nagios/etc/ssl/certificates/CA.cer –C /usr/local/nagios/etc/ssl/certificates/nagios_server.cer –K /usr/local/nagios/etc/ssl/certificates/nagios_server.key -H 192.168.10.105
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with (Windows Server IP): 1

NSClient:

Code: Select all

nrpe Accepting connection from: (Nagios Server IP), count=1
error:c:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: sslv3 alert handshake failure:1040