Nagios XI + nsclient++

[bennyboy]

Hi,

I try to use nsclient++ 0.5 with ssl whitout insecure=true.

Nagios XI side :

I compile nrpe 3.1.0 and I generate a csr to sign that certificate with our CA. I also copy the ca.crt to Nagios XI. I use that command to connect to nsclient++ on a Windows box.

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H ourserver -2 -S TLSv1.2+ -L 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' -d0 -C /etc/ssl/certs/checknrpe.cer -K /etc/ssl/certs/checknrpe.key -A /etc/ssl/certs/casaq.pem -g /var/log/messages -s -1

I got that error message :

Code: Select all

[1495208869] SSL Certificate File: /etc/ssl/certs/checknrpe.cer
[1495208869] SSL Private Key File: /etc/ssl/certs/checknrpe.key
[1495208869] SSL CA Certificate File: /etc/ssl/certs/casaq.pem
[1495208869] SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
[1495208869] SSL Allow ADH: No
[1495208869] SSL Log Options: 0xffffffff
[1495208869] SSL Version: TLSv1_2_plus And Above
[1495208869] New SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH:!ADH
[1495208869] Connected to 172.26.13.45
[1495208869] Error: Could not complete SSL handshake with 172.26.13.45: rc=0 SSL-error=5

NSCLIENT++ SIDE

I install NSCP-0.5.0.65-Win32.msi on a Windows 2003 R2 32bit server. I use those parameter.

Code: Select all

[/settings/default]
; Undocumented key
password = ourpassword
; Undocumented key
allowed hosts = 127.0.0.1, 172.26.14.62, 172.26.14.63, 172.26.14.34, 172.26.14.250, 172.21.1.12
[/settings/NRPE/server]
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
dh =
verify mode = peer-cert
ssl options = no-sslv2,no-sslv3
; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = 1
; Undocumented key
insecure = false
; PAYLOAD LENGTH - Length of payload to/from the NRPE agent. This is a hard specific value so you have to "configure" (read recompile) your NRPE agent to use the same value for it to work.
payload length = 8192
; Allow Arguements
allow arguments = true
; Allow nasty chars
allow nasty characters = true
; CA - 
ca = ${certificate-path}/casaq.pem
; SSL CERTIFICATE - 
certificate key = ${certificate-path}/nsclient_nopass_key.pem
; SSL CERTIFICATE - 
certificate = ${certificate-path}/nsclient_cert.pem

[/settings/log/file]
; Set log file size to 10Mb
max size = 10485760

; TODO
[/modules]
; Undocumented key
CheckExternalScripts = 1
; Undocumented key
CheckHelpers = 1
; Undocumented key
CheckNSCP = 1
; Undocumented key
CheckEventLog = 1
; Undocumented key
CheckDisk = 1
; Undocumented key
CheckSystem = 1
; Undocumented key
WEBSErver = 1
; Undocumented key
NRPEServer = 1

the content of nsclient.log

Code: Select all

2017-05-19 12:02:34: error:c:\source\nscp\include\socket/connection.hpp:257: Failed to establish secure connection: peer did not return a certificate: 199
2017-05-19 12:03:18: error:c:\source\nscp\include\socket/connection.hpp:257: Failed to establish secure connection: peer did not return a certificate: 199

Someone can help me to understand and fix the problem please.

[ssax]

Are your certificates the proper format?

Here's mine as an example (do not post your private keys at all if you post yours):

[root@ssc66xid components]# cat /root/cacert.pem
- Note: The top certificate is my offline root CA, and the second one is my issuing CA (the one who is issuing the certs), your setup may be different.

Code: Select all

-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIJANlrs+BX28kiMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAlVTMRIwEAYDVQQIDAlNaW5uZXNvdGExETAPBgNVBAcMCFN0LiBQYXVsMQ8w
DQYDVQQKDAZOYWdpb3MxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBnJvb3Rj
YTAeFw0xNzAxMTYxODQ5MTVaFw0yNzAxMTQxODQ5MTVaMGgxCzAJBgNVBAYTAlVT
MRIwEAYDVQQIDAlNaW5uZXNvdGExETAPBgNVBAcMCFN0LiBQYXVsMQ8wDQYDVQQK
DAZOYWdpb3MxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBnJvb3RjYTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKvAzBOwLVO3o71LA7EhHUBEYPLi
n9ndLI2Q3rOVnWJjjtbL2grFTz445N98Zaueso2c+tgexCFFhcPqhFJ5lVk5WB0F
NUJyQ7kDC31fBhW9dP7C7Mh7Kkw+EWB7iRWp6AlFFJ92SqqdeXPRBlFkNUfeyDVI
tVyymZhAvwA/inrj/Nr2jMYbUzYpbxd+fn7EcaEABhbohN4wfwy7WpqfBwDFOq2V
atlyk6S1uWyEA/xVG0lipFIAZAF9Hrjkv7PvQZMHD/AV3gdTrJ8Icl9xDEdqVw/m
cOnsalIwMoq6M8H0Ry/rx4q/WFIFWPlThSMRw6iCLB5Bz8kw8AemFsvjjy0CAwEA
AaNQME4wHQYDVR0OBBYEFLiOi7NLGgy3JH+q37DNp4UGZbWuMB8GA1UdIwQYMBaA
FLiOi7NLGgy3JH+q37DNp4UGZbWuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAGcMfBA0FHjUfrJla3PTPWoK1AmehCd+OH2WEcDQ7Hq1xI/AJMwQsgNb
pVpZS/UBYyaMNNn7D2qVOUjf00lvH08467YMt1u/M41peb6YkanIN6N9M0WgMx38
BVfJ7195vzpaZUamb3/A4Xd48CKql4mslduSbUMU1z/XxlTJJ8tHJm4dDSkRH3PN
IfnF8KcVX2QP7QRAsVLKPEY+CoH/KoxestvnhFyVBC6c0f8zyRW+rc0m8fOlPLoD
+ZUrn5IYm5HFKfn2iv4/Qt4dD3gr4nyeJTL9yvb1Ink8pGCxUDktS2ACi/blCDaW
g2fdVoDOpLNm3JMne3U/GGLYrUIYCyE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgICAQAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx
EjAQBgNVBAgMCU1pbm5lc290YTERMA8GA1UEBwwIU3QuIFBhdWwxDzANBgNVBAoM
Bk5hZ2lvczEQMA4GA1UECwwHU3VwcG9ydDEPMA0GA1UEAwwGcm9vdGNhMB4XDTE3
MDExNjE4NTAxOFoXDTE4MDExNjE4NTAxOFowUTELMAkGA1UEBhMCVVMxEjAQBgNV
BAgMCU1pbm5lc290YTEPMA0GA1UECgwGTmFnaW9zMRAwDgYDVQQLDAdTdXBwb3J0
MQswCQYDVQQDDAJjYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMaL
tdYNnDF2s9pPLyWgTaGDwKqRZyVc4PWQ3AH9yjVRa2hiZnEUs4bxQyEsadlXoQyZ
fu8ToHjEmtcSBMnJByP5+oAWBuhN8FWgtLEUxm1PPtcU0eNAtUPkgYb4V8AbzQDF
IfopWSrovziGWwb/9hv6hXddeyhMY3M75YeUZxwHlMb7k9porLpmTCr3FBuKsv5r
iUgOYarf3d0J7bkWea7Inv64t4i1S0N51xC71JxMI/uuv/4I1HRrpvD7T4C0+qKg
kUGeVJbiz0ltWDi3UTQ+dBjofmR2Z+EoNBz5o5Z5cHXhPsyq8Ivuyejpk58/Aj8g
gAeMPK5LI+sVDUKo3cMCAwEAAaNQME4wHQYDVR0OBBYEFK6hlpJgJ3qxM5JFGDx1
7QL6jVOcMB8GA1UdIwQYMBaAFLiOi7NLGgy3JH+q37DNp4UGZbWuMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADKCPRXFOeWEiLUXZ55//6Imdn8Y6HZT
b4tpMGnTitV4YJKSnxsNOjjphwak8UK1qBXfPR2O+s78npVzHH9R8uev4YMuwmbV
s92wgGfUoM9B2IRctx0L6ZilP30IEHCK4bV+avsNF9GkBrw6TeO0t2CTNFtkH+8W
K42vRoYAncpQ6YvjyrrG3Gnc65WpqAUtxst/RTWenpvFa+bmycnkrareQ9b4xnft
msoje7uUMjBCGfpNtHSEqyZUHiWissdf60DeJjzH8mphiHH3A8XAKGKMQJsHkG66
rqAq36rljaUiq2whH03yWaqnL6hNlIIUIto2GyiWxLWpbmUpZYzUALU=
-----END CERTIFICATE-----

[root@ssc66xid components]# cat /etc/pki/tls/private/localhost_nopass.key

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqUIkhzDxXQ0PotGpRYFmyNWltY1xj20IBNetOHBwkUWSsKTE
98Fp/BFua4COTXrEP/oDEW457CI89etssrU4iXDNyw08rQNIP8QNlljKIkJHmsIg
un9FoU8sufnIFAIGolEWEmYOl7QAuBi/INJlWrBqK1Ce+brOc7eCWTu7FDVqoyFd
l36JZml/7TZJADyP/OSy4+sPUTgJg1fZ5yVchwKENDSbAd3t5rbNL36Kp8AJbnoe
r+4r1I7HVUx1/AJy5kbnyTxj3pSyLEKGqdeQDfO/dqwgK4bEIJ1HaPMl3wl0KPK5
UPDD82hC/mhLUF9osx67rq0zSClR9Cmt6D6iaQIDAQABAoIBACU/2DgkbknzMOi9
SYpxYwR5+GEPQtm0vhoKuSV9oVhnPlQ/vtVjrIZ785gXD7o/dWc7B2fToU21b0MT
z7U4qrucpr20KRFOcp0N8YuP+NQ3T/jgFkHU9qb8fLRlI0I7++fG/puH+Fgslift
0kpP41xlDMiBkqsVEJBo53fp7E8S4sfGTPy1S7XXAjY1/si3WnYoeGbPja15Ds2f
a7g22R8aTt1XuwMUTtxFImYXVvPs/nIIclYBzJRbZC8/DuRBX87cr7TMTE+u89eG
4XbP5xHGhXv5b17ilbS3v2haen23Vr8MYhfJDrtJ4oumraHefTY/FKcSjOHlB/wC
EOmiR40CgYEA0hImUvXKio/XfbZkFkF/0lr4opSM/wDn6mbY6ldPecQ4VIkQS5Oa
ArTzc+7d9UNWPNgbYzJ/9vqKamGZGLlwOuXvWZAjcmM3r+AGqxOOXL6QLUAKEbh1
OwY1McSVD2bZJ7lvShJRKhQs+tip9ptEodxSSS0xLWolYiUv85H8vq8CgYEAzkOu
MNQJFCuqhQqRaj8LokD52FdR6hlG1WveB/lK4lFqpEDCSqjVLl2fPAPgKUaYXfjz
yRiBPb3HOXWj0DevoODmJPXYQy7OK4VtahExuFR9hCWl9IeWbssKdD6lx8zx+N1K
lKPBy4dcZ7td/+0sQiq/lSdKpRJcJ09tXec7NmcCgYBQNh3sD242+mWN2tbeL6Re
7d2CNrafp/jlx9+Lm0r9c68OmEdglDt6TR2oZszZmZyUHvBWMDIsW/3+IMYUarov
wxxhVmgyhS/+N8xAGBOVhi4HGSy/F2+r2fL1zdocx2ijgmq8HcJgDtQd9BzxzNen
9jM9GhRtAtrDXu+wUU3wgQKBgEKoFpPLAgAVuG50Itgd9amCq/shBOTNNFnmGQOk
qXGH9BmOn/s2omXwdXQUoI1WNgkwWcAj/igwu0AzZzPzuvsXkuhg1nmnl5Ly9I/x
bIrwKvvYms/yPUgir4cvc62k6pGNGfv9C7S1UsRnBZKeV84uOGmAIBxGWaeOgH53
KmiDAoGBAJeWS0ifBOeA2T0HToJrohFA+e38j3whgOnHEpgc4BRGgwF7GdLhzR6g
hZj4a6+jPrZS1I5Ro101iIqap1PwXWCo3QDZ7enzf9oEDnvfLxPgO2cAYj5EQUh3
7RyAJv7OSLPI0M0kKed8WCAmkWFlWA0FtPxEKZTTeicBDGJ3zkbS
-----END RSA PRIVATE KEY-----

[root@ssc66xid components]# cat /etc/pki/tls/certs/localhost.crt

Code: Select all

-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgICAQUwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMx
EjAQBgNVBAgMCU1pbm5lc290YTEPMA0GA1UECgwGTmFnaW9zMRAwDgYDVQQLDAdT
dXBwb3J0MQswCQYDVQQDDAJjYTAeFw0xNzA1MTcyMDA5MjhaFw0xODA1MTcyMDA5
MjhaMFQxCzAJBgNVBAYTAlVTMRIwEAYDVQQIDAlNaW5uZXNvdGExDzANBgNVBAoM
Bk5hZ2lvczEQMA4GA1UECwwHU3VwcG9ydDEOMAwGA1UEAwwFeGlkZXYwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpQiSHMPFdDQ+i0alFgWas1aW1jXGP
bQgE1604cHCRssswpMT3wWn8EW5rgI5NesQ/+gMRbjnsIjz162yytTiJcM3LDTyt
A0g/xA2WWgiQkeawiC6f0WhTyy5+cgUAgaiURYSZg6XtAC4GL8g0mVasGorUJ75
us5zt4JZO7sUNasjIV2XfolmaX/tNkasPI/85LLj6w9ROAmDV9nnJVyHAoQ0NJsB
3e3mts0vfoqnwAlueh6v7ivUjsdVTHX8AnLmRufJPGPelLIsQoap15AN8792rCAr
hsQgnUdo8yXfCXQo8rlQ8MPzaEL+aEtQX2izHruurTNIKVH0Ka3oPqJpAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSewc4u6YUYTI+IBWOStlz42m5c7zAfBgNV
HSMEGDAWgBSuoZaSasd6sTOSRRg8de0C+o1TnDANBgkqhkiG9w0BAQsFAAOCAQEA
WwaUpB+VIXOb5g90xQe3taVNKM4vtpaQUqQNAWoSG31tT8gYrmWfUOLHl2GMpTWN
iDSTunXto4oZZIykojdM8DhxTQaZoWWkeXt48f8Yy3tw0g/LU/68i2gnyzgoZ42g
aqMWs68uu+sjZ1bi+wBIG2iYZoHlcNEgPOEshBZSgw6uTKsiwmzKBE7p3gQLFaFI
vwHpwurBX/MQXbTsseiP/10BTx7d/fCsXTuV+gOhQeT1yYRjfDm9dHsEuoBkZkgR
vVymDJ9KGIKZdDoSjXiE//6/J6bMuUU0/FjG5QyS4WqJiJ/JzaQmwNjORzA76CQH
GtU5tABCQNbVcoy8x+DAkQ==
-----END CERTIFICATE-----

[bennyboy]

I validate my check_nrpe certificate and those one are ok. I validate the nsclient++ certificate generate from a Windows CA server.

nsclient_cert.pem

Code: Select all

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: fqdn
subject=/C=CA/ST=QC/L=MTL/O=BLAH/OU=IT/CN=Nagios XI/[email protected]
issuer=/DC=BLAH/DC=BLAH/DC=BLAH/CN=BLAH
-----BEGIN CERTIFICATE-----
MIIGBDCCBOygAwIBAgITEQAAOor+3ab6Lb4Q6gADAAA6ijANBgkqhkiG9w0BAQsF
ADBNMRIwEAYKCZImiZPyLGQBGRYCY2ExEjAQBgoJkiaJk/IsZAEZFgJxYzETMBEG

I will regenerate those one from a Unix system and try it.

[bennyboy]

I regenerate all the file of nsclient from a unix system and I sign the cert on the same CA. I also convert the certificate to PEM because of nsclient default certificate format.
https://docs.nsclient.org/reference/cli ... e%20format

I got the same error.
/var/log/messages on Nagios XI

Code: Select all

[1495221489] SSL Certificate File: /etc/ssl/certs/checknrpe.cer
[1495221489] SSL Private Key File: /etc/ssl/certs/checknrpe.key
[1495221489] SSL CA Certificate File: /etc/ssl/certs/casaq.pem
[1495221489] SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
[1495221489] SSL Allow ADH: No
[1495221489] SSL Log Options: 0xffffffff
[1495221489] SSL Version: TLSv1_2_plus And Above
[1495221489] New SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH:!ADH
[1495221489] Connected to 172.26.13.45
[1495221489] Error: Could not complete SSL handshake with 172.26.13.45: rc=0 SSL-error=5

nsclient.log

Code: Select all

2017-05-19 15:18:09: error:c:\source\nscp\include\socket/connection.hpp:257: Failed to establish secure connection: no certificate returned: 178
2017-05-19 15:21:38: error:c:\source\nscp\include\socket/connection.hpp:257: Failed to establish secure connection: peer did not return a certificate: 199

[ssax]

Moderator's note: This was moved from a ticket (#19484) to the forums per customer request as to help others, please see the case notes for more information.

Try changing -S TLSv1.2+ to -S TLSv1+, if it still doesn't work, try removing it completely.

What does the remote nsclient.log show?

You can enable tracing in nsclient++:

Code: Select all

; LOG SECTION - Configure log properties.
[/settings/log]

; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = ${exe-path}/nsclient.log

; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S

; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = trace

Then restart the nsclient++ service, re-run the commands multiple times and then send the full output from the nsclient.log and /var/log/messages on the XI server.


Thank you

[bennyboy]

/var/log/messages

Code: Select all

[1495222616] SSL Certificate File: /etc/ssl/certs/checknrpe.cer
[1495222616] SSL Private Key File: /etc/ssl/certs/checknrpe.key
[1495222616] SSL CA Certificate File: /etc/ssl/certs/casaq.pem
[1495222616] SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
[1495222616] SSL Allow ADH: No
[1495222616] SSL Log Options: 0xffffffff
[1495222616] SSL Version: TLSv1_plus And Above
[1495222616] New SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH:!ADH
[1495222616] Connected to 172.26.13.45
[1495222616] Error: Could not complete SSL handshake with 172.26.13.45: rc=0 SSL-error=5

NSCLIENT.LOG

Code: Select all

2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:328: On crash: restart: nscp
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:340: Archiving crash dumps in: C:\Program Files\NSClient++/crash-dumps
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:405: booting::loading plugins
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: CheckDisk
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: CheckEventLog
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: CheckExternalScripts
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: CheckHelpers
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: CheckNSCP
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: CheckSystem
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: NRPEServer
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:173: Found: WEBSErver
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\CheckDisk.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\CheckDisk.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\CheckEventLog.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\CheckEventLog.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\CheckExternalScripts.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\CheckExternalScripts.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\CheckHelpers.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\CheckHelpers.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\CheckNSCP.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\CheckNSCP.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\CheckSystem.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\CheckSystem.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\NRPEServer.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\NRPEServer.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:786: C:\Program Files\NSClient++/modules\WEBSErver.dll.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:788: adding C:\Program Files\NSClient++/modules\WEBSErver.dll
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: CheckDisk
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: CheckEventLog
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: CheckExternalScripts
2017-05-19 15:35:13: debug:c:\source\nscp\modules\CheckExternalScripts\CheckExternalScripts.cpp:130: No aliases found (adding default)
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: CheckHelpers
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: CheckNSCP
2017-05-19 15:35:13: debug:c:\source\nscp\modules\CheckNSCP\CheckNSCP.cpp:55: Crash folder is: C:\Program Files\NSClient++/crash-dumps
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: CheckSystem
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: NRPEServer
2017-05-19 15:35:13: debug:c:\source\nscp\modules\NRPEServer\NRPEServer.cpp:122: Non-standard buffer length (hope you have recompiled check_nrpe changing #define MAX_PACKETBUFFER_LENGTH = 8192
2017-05-19 15:35:13: debug:c:\source\nscp\modules\NRPEServer\NRPEServer.cpp:128: Allowed hosts definition: 127.0.0.1(255.255.255.255), 172.26.14.62(255.255.255.255), 172.26.14.63(255.255.255.255), 172.26.14.34(255.255.255.255), 172.26.14.250(255.255.255.255), 172.21.1.12(255.255.255.255)
2017-05-19 15:35:13: debug:c:\source\nscp\modules\NRPEServer\NRPEServer.cpp:129: Server config: address: :5666, ssl enabled: peer-cert, cert: C:\Program Files\NSClient++/security/nsclient.pem (PEM), C:\Program Files\NSClient++/security/nsclient.key.pem, dh: , ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH, ca: C:\Program Files\NSClient++/security/casaq.pem, options: no-sslv2,no-sslv3
2017-05-19 15:35:13: debug:c:\source\nscp\modules\CheckSystem\pdh_thread.cpp:166: Loading counter: disk_queue_length_0 C: D: = \\CTELDSA023\PhysicalDisk(0 C: D:)\% Disk Time
2017-05-19 15:35:13: debug:c:\source\nscp\modules\CheckSystem\pdh_thread.cpp:166: Loading counter: disk_queue_length__Total = \\CTELDSA023\PhysicalDisk(_Total)\% Disk Time
2017-05-19 15:35:13: error:c:\source\nscp\modules\CheckSystem\pdh_thread.cpp:247: Failed to get network metrics: Failed to fetch network metrics, disabling...
2017-05-19 15:35:13: debug:c:\source\nscp\include\socket/server.hpp:88: Binding to: 0.0.0.0:5666(ipv4), reopen: true, reuse: true
2017-05-19 15:35:13: debug:c:\source\nscp\include\socket/server.hpp:195: Attempting to bind to: 0.0.0.0:5666(ipv4)
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: WEBServer
2017-05-19 15:35:13: debug:c:\source\nscp\modules\WEBServer\WEBServer.cpp:741: Allowed hosts definition: 127.0.0.1(255.255.255.255), 172.26.14.62(255.255.255.255), 172.26.14.63(255.255.255.255), 172.26.14.34(255.255.255.255), 172.26.14.250(255.255.255.255), 172.21.1.12(255.255.255.255)
2017-05-19 15:35:13: debug:c:\source\nscp\modules\WEBServer\WEBServer.cpp:754: Using certificate: C:\Program Files\NSClient++/security/certificate.pem
2017-05-19 15:35:13: debug:c:\source\nscp\modules\WEBServer\WEBServer.cpp:771: Loading webserver on port: 8443s
2017-05-19 15:35:13: trace:c:\source\nscp\include\scheduler\simple_scheduler.cpp:58: starting all threads
2017-05-19 15:35:13: trace:c:\source\nscp\include\scheduler\simple_scheduler.cpp:61: Thread pool contains: 11
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:503: NSClient++ - 0.5.0.65 2016-11-13 Started!
2017-05-19 15:35:13: debug:c:\source\nscp\service\NSClient++.cpp:1394: Starting: DONE
2017-05-19 15:36:56: debug:c:\source\nscp\include\nrpe/server/protocol.hpp:72: Accepting connection from: 172.26.14.62, count=1
2017-05-19 15:36:56: error:c:\source\nscp\include\socket/connection.hpp:257: Failed to establish secure connection: no certificate returned: 178

[bennyboy]

That ok ?

Code: Select all

[root@slpmon0034]# /usr/local/nagios/libexec/check_nrpe -V

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 3.1.0-rc1
Last Modified: 2017-04-06
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: OpenSSL 0.9.6 or higher required

[bennyboy]

I comment ;verify mode = peer-cert and it's working but I see that in /var/log/messages

Code: Select all

[1495228341] SSL Certificate File: /etc/ssl/certs/checknrpe.cer
[1495228341] SSL Private Key File: /etc/ssl/certs/checknrpe.key
[1495228341] SSL CA Certificate File: /etc/ssl/certs/casaq.pem
[1495228341] SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
[1495228341] SSL Allow ADH: No
[1495228341] SSL Log Options: 0xffffffff
[1495228341] SSL Version: TLSv1_2_plus And Above
[1495228341] New SSL Cipher List: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH:!ADH
[1495228341] Connected to 172.26.13.45
[1495228341] Remote 172.26.13.45 - SSL Version: TLSv1.2
[1495228341] Remote 172.26.13.45 - TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
[1495228341] SSL 172.26.13.45 has an invalid certificate
[1495228341] SSL 172.26.13.45 Cert Name: /C=BLAH/ST=BLAH/L=MTL/O=BLAH/OU=IT/CN=blah.domain.com/[email protected]
[1495228341] SSL 172.26.13.45 Cert Issuer: /DC=blah/DC=blah/DC=blah/CN=CA

nsclient.log

Code: Select all

2017-05-19 17:12:16: debug:c:\source\nscp\modules\NRPEServer\NRPEServer.cpp:129: Server config: address: :5666, ssl enabled: none, cert: C:\Program Files\NSClient++/security/nsclient.pem (PEM), C:\Program Files\NSClient++/security/nsclient.key.pem, dh: , ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH, ca: C:\Program Files\NSClient++/security/casaq.pem, options: no-sslv2,no-sslv3
2017-05-19 17:12:16: debug:c:\source\nscp\include\socket/server.hpp:88: Binding to: 0.0.0.0:5666(ipv4), reopen: true, reuse: true
2017-05-19 17:12:16: debug:c:\source\nscp\include\socket/server.hpp:195: Attempting to bind to: 0.0.0.0:5666(ipv4)
2017-05-19 17:12:16: debug:c:\source\nscp\service\NSClient++.cpp:747: Loading plugin: WEBServer
2017-05-19 17:12:16: debug:c:\source\nscp\modules\WEBServer\WEBServer.cpp:741: Allowed hosts definition: 127.0.0.1(255.255.255.255), 172.26.14.62(255.255.255.255), 172.26.14.63(255.255.255.255), 172.26.14.34(255.255.255.255), 172.26.14.250(255.255.255.255), 172.21.1.12(255.255.255.255)
2017-05-19 17:12:16: debug:c:\source\nscp\modules\WEBServer\WEBServer.cpp:754: Using certificate: C:\Program Files\NSClient++/security/certificate.pem
2017-05-19 17:12:16: debug:c:\source\nscp\modules\WEBServer\WEBServer.cpp:771: Loading webserver on port: 8443s
2017-05-19 17:12:16: trace:c:\source\nscp\include\scheduler\simple_scheduler.cpp:58: starting all threads
2017-05-19 17:12:16: debug:c:\source\nscp\modules\CheckSystem\pdh_thread.cpp:166: Loading counter: disk_queue_length_0 C: D: = \\CTELDSA023\PhysicalDisk(0 C: D:)\% Disk Time
2017-05-19 17:12:16: debug:c:\source\nscp\modules\CheckSystem\pdh_thread.cpp:166: Loading counter: disk_queue_length__Total = \\CTELDSA023\PhysicalDisk(_Total)\% Disk Time
2017-05-19 17:12:16: error:c:\source\nscp\modules\CheckSystem\pdh_thread.cpp:247: Failed to get network metrics: Failed to fetch network metrics, disabling...
2017-05-19 17:12:16: trace:c:\source\nscp\include\scheduler\simple_scheduler.cpp:61: Thread pool contains: 11
2017-05-19 17:12:16: debug:c:\source\nscp\service\NSClient++.cpp:503: NSClient++ - 0.5.0.65 2016-11-13 Started!
2017-05-19 17:12:16: debug:c:\source\nscp\service\NSClient++.cpp:1394: Starting: DONE
2017-05-19 17:12:21: debug:c:\source\nscp\include\nrpe/server/protocol.hpp:72: Accepting connection from: 172.26.14.62, count=1

[WillemDH]

I've been trying to get this to work a few times now. Very interesting thread. Thanks for making public. Bookmarked..

[lmiltchev]

bennyboy, is it OK if we close this thread?