Windows server 2003 - NCPA 1.8.1 - sslv3 alert handshake fai

[dragan.vucanovic]

I have issues trying to get NCPA 1.8.1 passive check to communicate with nagios server

ncpa.cfg

Code: Select all

[listener]
uid = nagios
certificate = adhoc
loglevel = info
ip = 0.0.0.0
gid = nagcmd
logfile = var/ncpa_listener.log
port = 5693
pidfile = var/ncpa_listener.pid
# Available versions: PROTOCOL SSLv2, SSLv3, TLSv1
ssl_version = TLSv1

[passive]
uid = nagios
handlers = nrds,nrdp
loglevel = info
gid = nagcmd
sleep = 300
logfile = var/ncpa_passive.log
pidfile = var/ncpa_passive.pid

[nrdp]
token =UjdZYhrlDT7w84
hostname =vm.example.com
parent =https://nrdp.example.com

[nrds]
URL =https://nrdp.example.com
CONFIG_VERSION =0
TOKEN =UjdZYhrlDT7w84
CONFIG_NAME =
CONFIG_OS = None
PLUGIN_DIR=plugins/
UPDATE_CONFIG=1
UPDATE_PLUGINS=1

[api]
community_string =UjdZYhrlDT7w84

[plugin directives]
plugin_path = plugins/
.sh = /bin/sh $plugin_name $plugin_args
.ps1 = powershell -ExecutionPolicy Bypass -File $plugin_name $plugin_args
.vbs = cscript $plugin_name $plugin_args //NoLogo

[passive checks]
%HOSTNAME%|cpu usage = /cpu/percent --warning 20 --critical 30
%HOSTNAME%|swap usage = /memory/swap/percent --warning 40 --critical 80
%HOSTNAME%|memory usage = /memory/virtual/percent --warning 60 --critical 80

When sending data to Nagios server getting

Code: Select all

SSLError: [Errno 1] _ssl.c:507: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

[dchurch]

Is this NCPA for windows sending the passive check?

The latest NCPA version is 2.3.1. Have you tried installing the latest version of NCPA?

What's the output from the following commands on the Nagios XI machine's command line?

Code: Select all

openssl version
php --version
grep -rPi '^\sSSL' /etc/httpd*

[dragan.vucanovic]

I can't install latest version because Windows server 2003 cannot support it, regarding your second question, when i log in to nagios i'll post it

[dchurch]

Okay, let us know what the result of those commands are.

What I'm thinking is wrong is that either NCPA or the Windows Server 2003 stack isn't capable of negotiating an SSL protocol and cipher with the Nagios REST API for submitting passive check. We'll have to update the Apache settings to allow using insecure cipher suites.

In lieu of figuring out what cipher suite Apache <=> NCPA can use, what you could do instead is simply move to using an active check which NCPA supports.

What you could also try is changing the passive check endpoint (parent) from "https" to "http" inside of ncpa.cfg on the Windows computer. This would circumvent any connection problems associated with SSL protocol negotiation on older systems, but it would mean the traffic wasn't encrypted.

[dragan.vucanovic]

We decided to give up and not to use Nagios for this server, instead ,we'll use another product for server 2003

[ssax]

Okay, thanks for the update! Locking the post.