Solaris-nrpe-agent with SSL in Solaris 10

[RockerMan]

Hi

Installed on the subject instructions https://assets.nagios.com/downloads/nag ... _Agent.pdf. Installation went smoothly and without errors. After installation is complete nrpe once appeared in advanced services

Code: Select all

bash-3.2# uname -a
SunOS virt 5.10 Generic_147148-26 i86pc i386 i86pc

Code: Select all

bash-3.2# svcs | grep nrpe
online         15:58:51 svc:/application/nagios/nrpe:default

Code: Select all

bash-3.2#  netstat -a | grep nrpe
      *.nrpe               *.*                0      0 49152      0 LISTEN

Edit the configuration file, restart nrpe. To test runs on Solaris and get the error:

Code: Select all

bash-3.2# ./check_nrpe -H 10.10.255.31 -c check_users
CHECK_NRPE: Error - Could not complete SSL handshake.

It looks agent met without the support of the SSL. Pls tell me, have the ability to add SSL support to an already established agent? If not - how to uninstall the agent to nrpe and nagios-plugins compile from sources?

Thanks

[abrist]

First, verify that it was built without ssl support (add a -n arg):

Code: Select all

./check_nrpe -H 10.10.255.31 -c check_users -n

If you still have handshake/timeout errors, it is probably not ssl that is the cause.
Do you have the log from the build/install? It should have a note concerning whether or not ssl support was built.

[RockerMan]

Sorry, I ran chek_nrpe this parameter "-n", forgot to write the result in the topic:

Code: Select all

bash-3.2# ./check_nrpe -H 10.10.255.31 -c check_users -n
CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for error messages.

I check the log /var/svc/log/application-nagios-nrpe:default.log. There is nothing on the subject, only to restart nrpe

Code: Select all

[ Jun 19 10:26:07 Stopping because service restarting. ]
[ Jun 19 10:26:07 Executing stop method ("/lib/svc/method/nrpe stop") ]
[ Jun 19 10:26:07 Method "stop" exited with status 0 ]
[ Jun 19 10:26:07 Executing start method ("/lib/svc/method/nrpe start") ]
[ Jun 19 10:26:07 Method "start" exited with status 0 ]
[ Jun 19 10:27:19 Stopping because service restarting. ]
[ Jun 19 10:27:19 Executing stop method ("/lib/svc/method/nrpe stop") ]
[ Jun 19 10:27:19 Method "stop" exited with status 0 ]
[ Jun 19 10:27:19 Executing start method ("/lib/svc/method/nrpe start") ]
[ Jun 19 10:27:19 Method "start" exited with status 0 ]

Logs agent installation preserved. There is nothing about that that nrpe setup with support for SSL.

[tgriep]

Can you edit this file on the Solaris system /etc/nagios/nrpe.cfg and add the IP address of the Nagios XI system to it and restart the daemon?

Code: Select all

allowed_hosts=

You may need to edit /etc/xinetd.d/nrpe and add the Nagios XI server IP address to this line

Code: Select all

only_from =  

[RockerMan]

have addresses, I added

Code: Select all

allowed_hosts=127.0.0.1,10.10.0.112

in Solaris 10 is no such directory /etc/xinetd.d
"You may need to edit /etc/xinetd.d/nrpe and add the Nagios XI server IP address to this line"
only_from =

[jdalrymple]

In Solaris you use inetd, not xinetd. The configuration file is at /etc/inetd.conf. You'll need a line that looks like this:

Code: Select all

nrpe stream tcp nowait nagios /opt/bin/nrpe -c /etc/nrpe.cfg -i

You'll also need to verify that 5666 exists and is proper in your /etc/services file:

Code: Select all

bash-2.05# grep 5666 /etc/services
nrpe            5666             # Nagios NRPE Daemon

[RockerMan]

in /etc/inetd.conf had a similar line

Code: Select all

nrpe stream tcp nowait nagios /usr/sfw/sbin/tcpd /opt/nagios/bin/nrpe -c /etc/nagios/nrpe.cfg -i

I changed it as you suggest

Code: Select all

nrpe stream tcp nowait nagios /opt/nagios/bin/nrpe -c /etc/nagios/nrpe.cfg -i

In /etc/services all right

Code: Select all

nrpe            5666/tcp                        # NRPE

Changed config files, restart nrpe - nothing has changed

Code: Select all

bash-3.2# svcadm restart nrpe
bash-3.2#
bash-3.2# svcs -x nrpe
svc:/application/nagios/nrpe:default (NRPE daemon)
 State: online since Tue Jun 23 09:44:48 2015
   See: /var/svc/log/application-nagios-nrpe:default.log
Impact: None.
bash-3.2# ./check_nrpe -H 10.10.255.31 -c check_users
bash: ./check_nrpe: No such file or directory
bash-3.2# cd /opt/nagios/libexec/
bash-3.2# ./check_nrpe -H 10.10.255.31 -c check_users
CHECK_NRPE: Error - Could not complete SSL handshake.
bash-3.2# ./check_nrpe -H 10.10.255.31 -c check_users -n
CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs for error messages.

In /var/svc/log/application-nagios-nrpe:default.log

Code: Select all

[ Jun 23 09:44:48 Stopping because service restarting. ]
[ Jun 23 09:44:48 Executing stop method ("/lib/svc/method/nrpe stop") ]
[ Jun 23 09:44:48 Method "stop" exited with status 0 ]
[ Jun 23 09:44:48 Executing start method ("/lib/svc/method/nrpe start") ]
[ Jun 23 09:44:48 Method "start" exited with status 0 ]

[jdalrymple]

in /etc/inetd.conf had a similar line

Code: Select all

nrpe stream tcp nowait nagios /usr/sfw/sbin/tcpd /opt/nagios/bin/nrpe -c /etc/nagios/nrpe.cfg -i

I changed it as you suggest

Code: Select all

nrpe stream tcp nowait nagios /opt/nagios/bin/nrpe -c /etc/nagios/nrpe.cfg -i

The line I posted made assumptions about your environment. If those assumptions weren't correct (namely the path of the nrpe binary) then you would have potentially went from a working nrpe daemon to a broken one. Regardless it looks like you're using SMF to launch NRPE which means the inetd.conf line is unnecessary.

Open the location where you compiled nrpe and run the following:

Code: Select all

# grep ssl config.log
  $ ./configure --enable-command-args --enable-ssl --with-ssl=/usr/local/ssl/bin --with-ssl-lib=/usr/local/ssl/lib
CFLAGS='-g -O2 -I/usr/local/ssl/include/openssl -I/usr/local/ssl/include'
LDFLAGS=' -L/usr/local/ssl/lib'
LIBS=' -lssl -lcrypto'

[RockerMan]

I laid out above installation log agent. There's nothing to support the SSL during installation. It may be necessary to modify the installer script and instructions to him to nrpe-agent for Solaris setup to support SSL.

P.S.
I think nrpe-agent installed according to the instructions https://assets.nagios.com/downloads/nag ... _Agent.pdf will not work with SSL. The Solaris OS I not professional, so if someone can tell me how to uninstall (remove) correctly from the system installed by the above instructions solaris-nrpe-agent will be very grateful.

[jdalrymple]

find libssl please:

Code: Select all

# find / -name 'libssl*'
/usr/lib/mps/secv1/libssl3.so
/usr/lib/mps/libssl3.so
/usr/sfw/lib/libssl.so.0.9.8
/usr/dt/appconfig/SUNWns/libssl3.so
/usr/iplanet/nss3.3.1/lib/libssl3.so
/usr/iplanet/ds5/lib/libssldap50.so
/usr/iplanet/ds5/lib/libssl3.so
/usr/appserver/lib/libssldap50.so
/usr/local/ssl/lib/libssl.a
/usr/local/ssl/lib/libssl.so
/usr/local/ssl/lib/libssl.so.0.9.8
/usr/local/ssl/lib/pkgconfig/libssl.pc