Disabling SSL in REALLY old Nagios self compiled setup

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
ddolecki108
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ddolecki108 »

This definitely has something to do with SSL and more particularly not using SSL.
So, there are two types of nagios client machines, one type has wealer ciphers enabled and another, newer type has only stronger ciphers.

the "-n" is failing on both.

With a client with weak ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H weakcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H weakcipherservername
NRPE v2.15

With a client with strong ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H strongcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H strongcipherservername
CHECK_NRPE: Error - Could not complete SSL handshake.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by tgriep »

If you want to compile the NRPE Agent without SSL, you would use the following example.

Code: Select all

./configure --enable-command-args --disable-ssl
You also may want to look at this KB article for making the older and newer versions of NRPE to work together.
https://support.nagios.com/kb/article.php?id=516
Be sure to check out our Knowledgebase for helpful articles and solutions!
ddolecki108
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ddolecki108 »

Thanks for the input. Compiling nrpe to not use ssl is not an option.

I followd the knowledgebase artice for making different nrpe's work together and got this:

~]# /usr/local/nagios/libexec/check_nrpe -2 -H strongcipherservername
/usr/local/nagios/libexec/check_nrpe: invalid option -- 2

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by tgriep »

I want to verify that you are using the old version of the check_nrpe (Version 2.15) and you want to connect to the new 3.x.x NRPE Agent, is that correct?
Can you post your nrpe.cfg file from one of the system using the new NRPE Agent?
Also, can you check the /var/log/messages file for any errors when you run the check_nrpe test and post them as well.

What OS and release is the system running you are trying to install the Agent on?
Be sure to check out our Knowledgebase for helpful articles and solutions!
ddolecki108
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ddolecki108 »

I think that the Nagios server check_nrpe version is 2.12
the nrpe.cfg file is at: https://pastebin.com/8dmUnfBL
nothing in /var/log/messages on the Nagios server

Nagios server:
[lnxvm02:~]# uname -a
Linux 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 i386 GNU/Linux


Nagios client:
Linux 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 x86_64 GNU/Linux
ddolecki108
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ddolecki108 »

I guess compiling NRPE w/o SSL is an option on the new strong cipher servers, and the Nagios server is able to connect using the -n switch.

How do I modify the Nagios configuration file to pass the "-n" switch to ONLY those new strong cipher servers?

current checks look like this:

###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################

#### Server template ####

define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}

# Disk checking definitions

define service{
use generic-servername
service_description root
check_command check_nrpe!check_root
}

define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot
}

define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ssax »

Please post your command definition for check_nrpe so that we can help you adjust them.

Thank you
ddolecki108
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ddolecki108 »

Some Nagios clients are fine with SSL enabled while it is disabled on others.
ddolecki108
Posts: 14
Joined: Wed Apr 19, 2017 3:21 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ddolecki108 »

commands.cfg attached
Attachments
commands.cfg
(8.42 KiB) Downloaded 310 times
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Disabling SSL in REALLY old Nagios self compiled setup

Post by ssax »

Try this:

Code: Select all

###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################

#### Server template ####

define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}

# Disk checking definitions

define service{
use generic-servername
service_description root
check_command check_nrpe!check_root -n
}

define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot -n
}

define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp -n
Locked