Problem with SSL between different NRPE versions

Engage with the community of users including those using the open source solutions.
Includes Nagios Core, Plugins, and NCPA

Problem with SSL between different NRPE versions

Postby amateo » Wed May 19, 2021 7:34 am

I'm trying top upgrade my monitoring server from Ubuntu 16.04 to Ubuntu 20.04. My problem is that I'm getting a SSL error when the new monitoring server, with plugin version 4.0.3, tries to connect to servers with Ubuntu versions older than 18.04. For example, I'm trying to monitor a system with Ubuntu 16.04 and NRPE server with version 2.15 (the provided with Ubuntu packages).

In this case in the NRPE client I get:
Code: Select all
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 155.54.212.35: 1


and in the server (in debug mode) I get:
Code: Select all
May 19 14:11:01 mustela10 nrpe[2151]: Connection from 155.54.212.55 port 52966
May 19 14:11:01 mustela10 nrpe[2151]: Host address is in allowed_hosts
May 19 14:11:01 mustela10 nrpe[2151]: Handling the connection...
May 19 14:11:01 mustela10 nrpe[2151]: Error: Could not complete SSL handshake. 1
May 19 14:11:01 mustela10 nrpe[2151]: Connection from  closed.


So the problem doesn't seem to be related with the cliente IP (I get the message "Host address is in allowed_hosts") but with the SSL negotiation.

I have tried with different combinations of parameters -S, -d and/or -L in the client, but I haven't found any way to make it work. The only thing I have found is completely disabling SSL in both client and servers, but I wouldn't like to apply this.

This is the configuration in the server:
Code: Select all
log_facility=daemon
pid_file=/var/run/nagios/nrpe.pid
server_port=5666
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=127.0.0.1,<list of monitoring ips>
dont_blame_nrpe=1
allow_bash_command_substitution=0
debug=1
command_timeout=60
connection_timeout=300
allow_weak_random_seed=0
include_dir=/etc/nagios/nrpe.d


Any help?
amateo
 
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Re: Problem with SSL between different NRPE versions

Postby epixelitsupport » Fri May 21, 2021 11:32 am

Hi ,

This will help you
https://support.nagios.com/kb/article/n ... e-615.html



SSL Not Compiled In:
Another cause of SSL issues is that NRPE was not compiled with ssl enabled. To recompile NRPE with ssl support, browse to your NRPE source directory (usually in /tmp/nrpe-2.15 if you followed the compiling NRPE from source document) and re-compile using the --enable-ssl flag:

cd /tmp/nrpe-2.14
./configure --enable-ssl
make all
make install
epixelitsupport
 
Posts: 85
Joined: Fri Nov 08, 2019 2:40 am

Re: Problem with SSL between different NRPE versions

Postby amateo » Mon May 24, 2021 1:12 am

This will help you
https://support.nagios.com/kb/article/n ... e-615.html

This haven't helped. I don't have any problem with the client's IP. NRPE server is correctly listening and the client's IP is in the allowed list (I can see "Host address is in allowed_hosts" in the logs).

[quote]
SSL Not Compiled In:
Another cause of SSL issues is that NRPE was not compiled with ssl enabled. To recompile NRPE with ssl support, browse to your NRPE source directory (usually in /tmp/nrpe-2.15 if you followed the compiling NRPE from source document) and re-compile using the --enable-ssl flag:
[quote]
But NRPE is compiled with SSL support in the server and in the client.

I've been using the server with SSL for a long time (from older clients). And my new client is working with ssl with newer server.

My SSL problem is just between my new client (version 4.0.3) and old servers (version 2.15, provided with Ubuntu 16.04 packages). With servers running version 3.2.1 (provided with Ubuntu 18.04 packages) I don't have any problem with this client's version.
amateo
 
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Re: Problem with SSL between different NRPE versions

Postby gormank » Tue May 25, 2021 10:21 am

SSH to the Nagios host and run check_nrpe -h to get the options. I think you can update the check_nrpe command in Nagios to use SSL/TLS version 2 to resolve the issue.
gormank
 
Posts: 855
Joined: Tue Dec 02, 2014 12:00 pm

Re: Problem with SSL between different NRPE versions

Postby amateo » Wed May 26, 2021 12:43 am

Code: Select all
-S, --ssl-version=VERSION    The SSL/TLS version to use. Can be any one of:
                              SSLv3     SSL v3 only
                              SSLv3+    SSL v3 or above
                              TLSv1     TLS v1 only
                              TLSv1+    TLS v1 or above (DEFAULT)
                              TLSv1.1   TLS v1.1 only
                              TLSv1.1+  TLS v1.1 or above
                              TLSv1.2   TLS v1.2 only
                              TLSv1.2+  TLS v1.2 or above


It seems that SSLv2 is not available.
amateo
 
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Re: Problem with SSL between different NRPE versions

Postby gormank » Wed May 26, 2021 11:40 am

Try v1.2...

TLSv1.2+ TLS v1.2 or above
gormank
 
Posts: 855
Joined: Tue Dec 02, 2014 12:00 pm

one mo

Postby kiranadiraju » Fri May 28, 2021 8:33 am

kiranadiraju
 
Posts: 7
Joined: Tue Mar 28, 2017 5:10 am

Re: Problem with SSL between different NRPE versions

Postby amateo » Mon May 31, 2021 12:24 am

gormank wrote:Try v1.2...

TLSv1.2+ TLS v1.2 or above


I have already tried all different SSL versions with no results.
amateo
 
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Re: Problem with SSL between different NRPE versions

Postby gormank » Wed Jun 09, 2021 5:30 pm

The check_nrpe command on one of my NXI hosts:

$USER1$/check_nrpe -H $HOSTADDRESS$ --v2-packets-only --unknown-timeout -t 59:3 -c $ARG1$ $ARG2$
gormank
 
Posts: 855
Joined: Tue Dec 02, 2014 12:00 pm


Return to Community Support

Who is online

Users browsing this forum: gcrodaje, Majestic-12 [Bot] and 22 guests