Another nrpe SSL handshake probelm

[mijohnst]

I've read everything I could find in this forum and still can't figure this out but I'm getting the "CHECK_NRPE: ERROR - Could not compile SSL handshake." issue. I get the same response if I run the test command on the server or on the host. I pulled the rpm from the epel and read that it's been compiled with "openssl dhparam -C 512" (the package is nrpe-2.15-7.el7.x86_64). I'm also using the epel RHEL6 version for my RHEL6 machines and the work fine on all of them.

This is what I've tried...

- Insured the firewall port to 5666 is open. I can telnet to the port and I can see it open with NMAP.
- Insured that the "allowed_hosts" is set with 127.0.0.1 and the IP of my Nagios server.
- I'm running the same nrpe.conf on my working RHEL6 systems as on my non-working RHEL7 systems.
- Testing running 'check_nrpe' with -n to which I receive "CHECK_NRPE: Error received data from daemon." When I do that, the log file says there is an SSL handshake issue...which tells me the that -n option doesn't really disable ssl at all.

The only thing I'm thing to try next is downgrade my openssl version. On my RHEL6 systems I'm using openssl-1.0.1e-48 and on my RHEL7 systems I'm using openssl-1.0.1e-60.

I'm out of ideas and I just stumped... Other options to try?

[EchoKev]

Try manually compiling the code on your server from the source package?

[rkennedy]

Thanks @EchoKev!

This is correct though, I believe there was a recent bug in the repositories if I remember correctly as well. Do you have all of the required openssl libraries needed to run it via SSL? I believe you can call to the directly bin file to see how it was compiled / with what which may show us some useful output. Could you share it?

Can you also show us how NRPE is currently running?

Code: Select all

netstat -nap
ps -ef | grep nrpe

Then, post your NRPE configuration for us to review.

[mijohnst]

Ok looks like it's the epel version of nrpe that's the problem. I manually complied 3.0.1 (Thanks for the suggestion) it and it seems to work. I wondering if it's because it's is complied with ssl 2048 by default instead of 512 that comes in epel. I'm going to keep looking to see if I can make an RPM or find someone that has created one for 3.0.1 rpm. I'd rather have a package in my repo rather than having to write a script and manually install it on everything. I'll come back and post what I ended up doing in the end. Appreciate the support...

[rkennedy]

I know there are a couple other 2.x packages floating around for NRPE online, but I am not able to verify them.

At this time, from what I know - there aren't any NRPEv3 packages available. Not to say this couldn't change. If you find anything, please let us know! I'll leave this post open awaiting your response.

[mijohnst]

Hey rkennedy, I'm sorry...I didn't see your post before I just posted this last one.

I uninstalled my test compile and put the epel version back on which brings me back to the issue. If I run /bin/nrpe I see this:

Code: Select all

NRPE = Nagios Remote Plugin Executor
Version 2.15
Last Modified: 09-06-2013
SSL/TLS Available: Anonymouse DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available 

I've tried downgrading my OpenSSL but that didn't do anything. Seems like it's been out so long that an issue with it would have been found a long time ago. It could be that some of my security sittings are to restrictive and maybe I need to back them out when I figure out what it is. Be nice if someone would add 3.0.1 to the epel.

[mijohnst]

Thanks... I'll be working on this for the next few days and I'll post what I end up doing in hopes it helps someone down the road.

Quick question... I want to compile my nrpe to put files in the same places as I have on my rhel6 systems (used from epel) but I'm not seeing what my configure options are for placing those files. So how would I make my it so my nrpe.conf files goes to /etc/nagios and check_nrpe goes to /usr/lib64/nagios/plugins/ ? I'm not seeing that in README file.

Thanks!

[rkennedy]

Quick question... I want to compile my nrpe to put files in the same places as I have on my rhel6 systems (used from epel) but I'm not seeing what my configure options are for placing those files. So how would I make my it so my nrpe.conf files goes to /etc/nagios and check_nrpe goes to /usr/lib64/nagios/plugins/ ? I'm not seeing that in README file.

I believe the nrpe.cfg is referenced in either xinetd or your startup script depending on how it was installed. For example on my XI machine running it under xinetd, it's /etc/xinetd.d/nrpe and modify the following line -

Code: Select all

        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd

From there, I don't think it matters where check_nrpe is placed as this will solely be used at a server side part (to check the client). The other variable you may be referring to for the bin of NRPE is this variable (same file) -

Code: Select all

        server          = /usr/local/nagios/bin/nrpe

All of your plugin directives are handled through the part mentioned in /usr/local/nagios/etc/nrpe.cfg (as defined by server_args).

[mijohnst]

Well, I did find someone that compiled some RPM files for 3.0.1 but in testing they didn't work out so well so I decided to just compile and install them via a script. RPM would have been cleaner but at last I'm working now. Thanks for the support all.

[rkennedy]

No problem - are we good to mark this one resolved?