Problem with SSL between different NRPE versions

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
amateo
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Problem with SSL between different NRPE versions

Post by amateo »

I'm trying top upgrade my monitoring server from Ubuntu 16.04 to Ubuntu 20.04. My problem is that I'm getting a SSL error when the new monitoring server, with plugin version 4.0.3, tries to connect to servers with Ubuntu versions older than 18.04. For example, I'm trying to monitor a system with Ubuntu 16.04 and NRPE server with version 2.15 (the provided with Ubuntu packages).

In this case in the NRPE client I get:

Code: Select all

CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 155.54.212.35: 1
and in the server (in debug mode) I get:

Code: Select all

May 19 14:11:01 mustela10 nrpe[2151]: Connection from 155.54.212.55 port 52966
May 19 14:11:01 mustela10 nrpe[2151]: Host address is in allowed_hosts
May 19 14:11:01 mustela10 nrpe[2151]: Handling the connection...
May 19 14:11:01 mustela10 nrpe[2151]: Error: Could not complete SSL handshake. 1
May 19 14:11:01 mustela10 nrpe[2151]: Connection from  closed.
So the problem doesn't seem to be related with the cliente IP (I get the message "Host address is in allowed_hosts") but with the SSL negotiation.

I have tried with different combinations of parameters -S, -d and/or -L in the client, but I haven't found any way to make it work. The only thing I have found is completely disabling SSL in both client and servers, but I wouldn't like to apply this.

This is the configuration in the server:

Code: Select all

log_facility=daemon
pid_file=/var/run/nagios/nrpe.pid
server_port=5666
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=127.0.0.1,<list of monitoring ips>
dont_blame_nrpe=1
allow_bash_command_substitution=0
debug=1
command_timeout=60
connection_timeout=300
allow_weak_random_seed=0
include_dir=/etc/nagios/nrpe.d
Any help?
epixelitsupport
Posts: 85
Joined: Fri Nov 08, 2019 2:40 am

Re: Problem with SSL between different NRPE versions

Post by epixelitsupport »

Hi ,

This will help you
https://support.nagios.com/kb/article/n ... e-615.html



SSL Not Compiled In:
Another cause of SSL issues is that NRPE was not compiled with ssl enabled. To recompile NRPE with ssl support, browse to your NRPE source directory (usually in /tmp/nrpe-2.15 if you followed the compiling NRPE from source document) and re-compile using the --enable-ssl flag:

cd /tmp/nrpe-2.14
./configure --enable-ssl
make all
make install
amateo
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Re: Problem with SSL between different NRPE versions

Post by amateo »

This will help you
https://support.nagios.com/kb/article/n ... e-615.html
This haven't helped. I don't have any problem with the client's IP. NRPE server is correctly listening and the client's IP is in the allowed list (I can see "Host address is in allowed_hosts" in the logs).
SSL Not Compiled In:
Another cause of SSL issues is that NRPE was not compiled with ssl enabled. To recompile NRPE with ssl support, browse to your NRPE source directory (usually in /tmp/nrpe-2.15 if you followed the compiling NRPE from source document) and re-compile using the --enable-ssl flag:
But NRPE is compiled with SSL support in the server and in the client.

I've been using the server with SSL for a long time (from older clients). And my new client is working with ssl with newer server.

My SSL problem is just between my new client (version 4.0.3) and old servers (version 2.15, provided with Ubuntu 16.04 packages). With servers running version 3.2.1 (provided with Ubuntu 18.04 packages) I don't have any problem with this client's version.
gormank
Posts: 1114
Joined: Tue Dec 02, 2014 12:00 pm

Re: Problem with SSL between different NRPE versions

Post by gormank »

SSH to the Nagios host and run check_nrpe -h to get the options. I think you can update the check_nrpe command in Nagios to use SSL/TLS version 2 to resolve the issue.
amateo
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Re: Problem with SSL between different NRPE versions

Post by amateo »

Code: Select all

 -S, --ssl-version=VERSION    The SSL/TLS version to use. Can be any one of:
                              SSLv3     SSL v3 only
                              SSLv3+    SSL v3 or above 
                              TLSv1     TLS v1 only
                              TLSv1+    TLS v1 or above (DEFAULT)
                              TLSv1.1   TLS v1.1 only
                              TLSv1.1+  TLS v1.1 or above
                              TLSv1.2   TLS v1.2 only
                              TLSv1.2+  TLS v1.2 or above
It seems that SSLv2 is not available.
gormank
Posts: 1114
Joined: Tue Dec 02, 2014 12:00 pm

Re: Problem with SSL between different NRPE versions

Post by gormank »

Try v1.2...

TLSv1.2+ TLS v1.2 or above
kiranadiraju

one mo

Post by kiranadiraju »

amateo
Posts: 4
Joined: Wed May 19, 2021 7:26 am

Re: Problem with SSL between different NRPE versions

Post by amateo »

gormank wrote:Try v1.2...

TLSv1.2+ TLS v1.2 or above
I have already tried all different SSL versions with no results.
gormank
Posts: 1114
Joined: Tue Dec 02, 2014 12:00 pm

Re: Problem with SSL between different NRPE versions

Post by gormank »

The check_nrpe command on one of my NXI hosts:

$USER1$/check_nrpe -H $HOSTADDRESS$ --v2-packets-only --unknown-timeout -t 59:3 -c $ARG1$ $ARG2$
Locked