NRPE v3.2.1 weird ssl error ....

[vishfx]

Hi Nagios Team,

I have installed nrpe 3.2.1 on RHEL 7.3
Added Nagios server IPs to /etc/hosts.allow & /etc/xinetd.d/nrpe
But when nrpe client tried to communicate, throws a weird error.

PFA screen shot of the error.


Kindly assist.

Regards,
Vish.

[benjaminsmith]

Hello Vish,

How did you install nrpe, did you follow the instructions below?

NRPE - How to install NRPE

Also, please upload or post the following file to the ticket. Thanks.

Code: Select all

/etc/xinetd.d/nrpe

[vishfx]

Hi Benjamin,

yes, nrpe was installed from https://support.nagios.com/kb/article.php?id=8

Below are the contents of /etc/xinetd.d/nrpe :

Code: Select all

# default: off
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
    disable         = no
    per_source      = 25
    socket_type     = stream
    port            = 5666
    wait            = no
    user            = nagios
    group           = nagios
    server          = /usr/local/nagios/bin/nrpe
    server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
    only_from       = 127.0.0.1 x.x.x.x y.y.y.y z.z.z.z
    log_on_success  =
}

[vishfx]

I recompiled nrpe manually using :

./configure --enable-command-args --disable-ssl

and ran command /usr/local/nagios/libexec/check_nrpe -H x.x.x.x -n
NRPE v3.2.1

So does that mean its a SSL librry related issue ?

Kindly assist.

Regards,
Vish.

[benjaminsmith]

Hello Vish,

So does that mean its a SSL librry related issue ?

Most likely as your getting the "Could Not Complete SSL Handshake" error message. Follow the instructions in the article below to re-compile with SSL enabled.

CHECK_NRPE: Error - Could Not Complete SSL Handshake

[vishfx]

I followed the instructions from the link for installing nrpe , still get the below error :
Nothing seems to be working in this case.
Kindly assist as this is critical for us.

Also,Do you knowi if this is related to https://github.com/NagiosEnterprises/nrpe/issues/113

Code: Select all

Nov 13 01:51:45 xinetd[6577]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Nov 13 01:51:45 xinetd[6577]: Started working: 1 available service
Nov 13 01:51:45 systemd: Reloading.
Nov 13 01:51:45 systemd: Binding to IPv6 address not available since kernel does not support IPv6.
Nov 13 01:52:00 xinetd[6774]: warning: can't get client address: Connection reset by peer
Nov 13 01:52:00 nrpe[6774]: Error: (!log_opts) Could not complete SSL handshake with : 5

Code: Select all

yum list installed | grep openssl
openssl.x86_64                  1:1.0.2k-19.0.1.el7         @OEL7.latest-patch
openssl-devel.x86_64            1:1.0.2k-19.0.1.el7         @OEL7.latest-patch
openssl-libs.x86_64             1:1.0.2k-19.0.1.el7         @OEL7.latest-patch
xmlsec1-openssl.x86_64          1.2.20-7.el7_4              @OEL7.latest-patch

Code: Select all

ldd /usr/local/nagios/bin/nrpe
        linux-vdso.so.1 =>  (0x00007ffc08e22000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007f87f97b2000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f87f934f000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f87f9135000)
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f87f8f2a000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f87f8b5c000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f87f890f000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f87f8626000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f87f8422000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f87f81ef000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f87f7feb000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f87f7dd5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f87f9a24000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f87f7bc5000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f87f79c1000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f87f77a8000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f87f758c000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f87f7365000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f87f7103000)

[vishfx]

I even tried with client certs, but didnt work.

Code: Select all

/usr/local/nagios/libexec/check_nrpe -A 
/usr/local/nagios/etc/ssl/ca_cert.pem -C 
/usr/local/nagios/etc/ssl/client_cert.pem -K 
/usr/local/nagios/etc/ssl/client_cert.key -H X.X.X.X

Log shows below :

Code: Select all

Nov 13 04:01:34 nrpe[1865]: SSL Certificate File: /usr/local/nagios/etc/ssl/client_certs/client_cert.pem
Nov 13 04:01:34 nrpe[1865]: SSL Private Key File: /usr/local/nagios/etc/ssl/client_certs/client_cert.key
Nov 13 04:01:34 nrpe[1865]: SSL CA Certificate File: /usr/local/nagios/etc/ssl/ca/ca_cert.pem
Nov 13 04:01:34 nrpe[1865]: SSL Cipher List: ALL:!MD5:@STRENGTH
Nov 13 04:01:34 nrpe[1865]: SSL Allow ADH: 0
Nov 13 04:01:34 nrpe[1865]: SSL Client Certs: Don't Ask
Nov 13 04:01:34 nrpe[1865]: SSL Log Options: 0xffffffff
Nov 13 04:01:34 nrpe[1865]: SSL Version: TLSv1 And Above
Nov 13 04:01:34 nrpe[1865]: Error: (nerrs = 0) Could not complete SSL handshake with : 5

[benjaminsmith]

Hello @vishfx,

It looks like you are having issues with the IP address on this system.

Nov 13 01:51:45 systemd: Binding to IPv6 address not available since kernel does not support IPv6.
Nov 13 01:52:00 xinetd[6774]: warning: can't get client address: Connection reset by peer

1. Just to check, did you re-compile with SSL? If the following command, works, then SSL has not been enabled.

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H <remote host ip> -n

2. Is port 5666 open on the remote host? From the Nagios Server, run an nmap command on the remote host.

Code: Select all

nmap nmap <ip of remote host> -p 5666<

3. Try adding the local IPv6 ::1 address to the list of only_from addresses, for example:

Code: Select all

vi /etc/xinetd.d/nrpe
only_from = 127.0.0.1 ::1 <Nagios XI server ip>

[vishfx]

Am good with the fix for now.
This can be closed.

[benjaminsmith]

Hi,

Am good with the fix for now.
This can be closed.

Super! Thanks for the update. Closing.