Problem with SSL between different NRPE versions
Posted: Wed May 19, 2021 7:34 am
I'm trying top upgrade my monitoring server from Ubuntu 16.04 to Ubuntu 20.04. My problem is that I'm getting a SSL error when the new monitoring server, with plugin version 4.0.3, tries to connect to servers with Ubuntu versions older than 18.04. For example, I'm trying to monitor a system with Ubuntu 16.04 and NRPE server with version 2.15 (the provided with Ubuntu packages).
In this case in the NRPE client I get:
and in the server (in debug mode) I get:
So the problem doesn't seem to be related with the cliente IP (I get the message "Host address is in allowed_hosts") but with the SSL negotiation.
I have tried with different combinations of parameters -S, -d and/or -L in the client, but I haven't found any way to make it work. The only thing I have found is completely disabling SSL in both client and servers, but I wouldn't like to apply this.
This is the configuration in the server:
Any help?
In this case in the NRPE client I get:
Code: Select all
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 155.54.212.35: 1
Code: Select all
May 19 14:11:01 mustela10 nrpe[2151]: Connection from 155.54.212.55 port 52966
May 19 14:11:01 mustela10 nrpe[2151]: Host address is in allowed_hosts
May 19 14:11:01 mustela10 nrpe[2151]: Handling the connection...
May 19 14:11:01 mustela10 nrpe[2151]: Error: Could not complete SSL handshake. 1
May 19 14:11:01 mustela10 nrpe[2151]: Connection from closed.
I have tried with different combinations of parameters -S, -d and/or -L in the client, but I haven't found any way to make it work. The only thing I have found is completely disabling SSL in both client and servers, but I wouldn't like to apply this.
This is the configuration in the server:
Code: Select all
log_facility=daemon
pid_file=/var/run/nagios/nrpe.pid
server_port=5666
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=127.0.0.1,<list of monitoring ips>
dont_blame_nrpe=1
allow_bash_command_substitution=0
debug=1
command_timeout=60
connection_timeout=300
allow_weak_random_seed=0
include_dir=/etc/nagios/nrpe.d