NCPA listener starts, but not listening

[hbouma]

From server with NCPA:
$ curl -v https://localhost:5693/ -k
* About to connect() to localhost port 5693 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 5693 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* TLSv1.0, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to localhost:5693
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to localhost:5693

[scottwilkerson]

When I change the ncpa.cfg from ssl_version = TLSv1_1 to ssl_version = TLSv1 and restarted the NCPA_Listener. I still receive the same error.

Can we set these back to the defaults

[hbouma]

Reset back to the default of TLSv1_2

$ cat /usr/local/ncpa/etc/ncpa.cfg | grep TLS
# operating systems it will default back to TLSv1)
# ssl_version options: TLSv1, TLSv1_1, TLSv1_2
ssl_version = TLSv1_2

$ curl -v https://localhost:5693/ -k
* About to connect() to localhost port 5693 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 5693 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* TLSv1.0, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to localhost:5693
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to localhost:5693

[kyang]

Did you restart the listener after making the changes?

Could you send us your ncpa.cfg file? You can either post or PM it.

Code: Select all

curl --tlsv1.2 -k  https://xxxxx:5693

Code: Select all

curl --tlsv1 -k  https://xxxx:5693

Can you try this?

[hbouma]

Yes, the ncpa_listener was restarted.

$ curl --tlsv1.2 -k https://xxxxxxxx:5693
curl: (35) Unsupported SSL protocol version

$ curl --tlsv1 -k https://xxxxxxx:5693
curl: (35) Unknown SSL protocol error in connection to xxxxxxx:5693

$ curl -V
curl 7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz


PM sent with ncpa.cfg

[scottwilkerson]

Can you run the following from the Nagios XI server replacing mytoken with the token in the ncpa config, and xxxxxxxx with the IP of the suse machine

Code: Select all

python /usr/local/nagios/libexec/check_ncpa.py -H xxxxxxxx -t mytoken -M 'cpu/percent'

[hbouma]

$ python /usr/local/nagios/libexec/check_ncpa.py -v -H XXXXXXX -t mytoken -M 'cpu/percent'
Connecting to: https://xxxxxxxx:5693/api/cpu/percent/? ... 79&check=1
An error occurred:<urlopen error [Errno 104] Connection reset by peer>

[scottwilkerson]

$ python /usr/local/nagios/libexec/check_ncpa.py -v -H XXXXXXX -t mytoken -M 'cpu/percent'
Connecting to: https://xxxxxxxx:5693/api/cpu/percent/? ... 79&check=1
An error occurred:<urlopen error [Errno 104] Connection reset by peer>

Are you sure you don't have a firewall on the suse machine blocking connections to port 5693?

[hbouma]

Not that I can find.

$ rcSuSEfirewall2 status
Checking the status of SuSEfirewall2 unused

I did inherit these servers with some unusual configuration management settings. I have disabled the configuration management, so the agent install should have changed the settings as needed.

I am reaching back out to the team that did the original setup and will report back what we can find.

[scottwilkerson]

Not that I can find.

$ rcSuSEfirewall2 status
Checking the status of SuSEfirewall2 unused

I did inherit these servers with some unusual configuration management settings. I have disabled the configuration management, so the agent install should have changed the settings as needed.

I am reaching back out to the team that did the original setup and will report back what we can find.

thanks!