NRDS_win Passive Checks Not Working

[canderson]

FOr PCI we have to disable TLS 1.0 on several of our servers that we were monitoring with NRDS passive checks before the change however when we disable the TLS 1.0 the passive checks stop working. Is there a way to make the passive checks with NRDS still work even after disabling TLS1.0 and possibly TLS 1.1 as well?

[dwhitfield]

Do you get an error similar to

Code: Select all

ERROR: could not connect to NRDP server at https://xi-c6x-x64/nrdp/
curl exited with error 8960

If so, take a look at https://support.nagios.com/kb/article.php?id=538

If not, what error did you get?

[canderson]

I dont get an error. It just shows it going in a loop in the logs. It never gets a response from the NRDP server. Below is the loop I see.

3/17/2017 1:53:06 PM ---Starting NRDS Transaction--- :
3/17/2017 1:53:06 PM Diagnostic mode : False
3/17/2017 1:53:06 PM base NRDP address locked and loaded : https://10.x.x.x/nrdp//?token=qn7t0pm2m5hb&cmd=
3/17/2017 1:53:06 PM XML being passed to check for updates : https://10.x.x.x/nrdp//?token=qn7t0pm2m ... DATA=<?xml version='1.0' ?><configs><config><name>Tripwire</name><version>0.1</version></config></configs>
3/17/2017 1:53:06 PM running Post routine.. :
3/17/2017 1:53:06 PM ignoring certificate errors : 13056
3/17/2017 1:53:06 PM Post Data.... :
3/17/2017 1:53:06 PM address..... : https://10.x.x.x/nrdp//?token=qn7t0pm2m ... DATA=<?xml version='1.0' ?><configs><config><name>Tripwire</name><version>0.1</version></config></configs>
3/17/2017 1:53:49 PM ---Starting NRDS Transaction--- :
3/17/2017 1:53:49 PM base NRDP address locked and loaded : https://10.x.x.x/nrdp//?token=qn7t0pm2m5hb&cmd=
3/17/2017 1:53:49 PM XML being passed to check for updates : https://10.x.x.x/nrdp//?token=qn7t0pm2m ... DATA=<?xml version='1.0' ?><configs><config><name>Tripwire</name><version>0.1</version></config></configs>
3/17/2017 1:53:49 PM running Post routine.. :
3/17/2017 1:53:49 PM ignoring certificate errors : 13056
3/17/2017 1:53:49 PM Post Data.... :
3/17/2017 1:53:49 PM address..... : https://10.x.x.x/nrdp//?token=qn7t0pm2m ... DATA=<?xml version='1.0' ?><configs><config><name>Tripwire</name><version>0.1</version></config></configs>
3/17/2017 1:53:56 PM ---Starting NRDS Transaction--- :

[rkennedy]

What types of SSL are you running on 10x.x.x.x? curl -v https://10.x.x.x will show us everything. I suspect it's a negotiation issue going on.

[tmcdonald]

Thanks for the assist, @rkennedy!

[canderson]

If I am looking in the correct spot we are running it with TLSv1.2

[canderson]

[root@nagiosxi ~]# curl -v https://10.x.x.x
* About to connect() to 10.x.x.x port 443 (#0)
* Trying 10.x.x.x... connected
* Connected to 10.x.x.x (10.x.x.x) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Peer's certificate issuer is not recognized: 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

[canderson]

I posted what it looks like with TLSv1.0 disabled above. Now I will attach a screenshot showing that I do get an NRDP response when TLSv1.0 is turned back on

[mcapra]

Yeah, it's a TLS negotiation problem. It doesn't look like the XI machine has the CA with which this certificate was signed:

Code: Select all

* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates

You'll need to add the CA to this server, or if it's self-signed add the cert to the trust list.

[hamija2017]

Our cert for the NagiosXI is using *.extraspace.com, however the NRDS uses the IP address. Adding the CA to the server was done, however it did not resolve the passive check. Is there a way to use a local generated cert instead to resolve the issue. The NRDS Config Manager already has ignore ssl certificate error set to true.