check_nrpe on RHEL 8 / CentOS 8

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
jbmccarthy
Posts: 4
Joined: Sat Sep 21, 2019 12:59 pm

check_nrpe on RHEL 8 / CentOS 8

Post by jbmccarthy »

I am using Nagios core (4.4.6) and check_nrpe (4.0.3) to monitor localhost services (not a remote server), and everything has been working fine for years on version 7; however, on version 8 I keep getting "CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 127.0.0.1: 1". Everything I am able to find refers to remote servers, not the localhost. Nagios and check_nrpe versions are the same, but openssl is 1.0.2k vs 1.1.1g. Any ideas? Thanks!
gormank
Posts: 1114
Joined: Tue Dec 02, 2014 12:00 pm

Re: check_nrpe on RHEL 8 / CentOS 8

Post by gormank »

I added --v2-packets-only to my check_nrpe command to get rid of SSL errors some time ago after an upgrade of RHEL to 7 and a reinstall/restore/upgrade of Nagios.
I also see that check_nrpe has a -n argument to disable SSL.
You might try one of those.
jbmccarthy
Posts: 4
Joined: Sat Sep 21, 2019 12:59 pm

Re: check_nrpe on RHEL 8 / CentOS 8

Post by jbmccarthy »

Thank you for the feedback. These are all fresh installs from a kickstart file, and I have no issues with the latest version 7.9 - only on RHEL8. I attempted the two options with negative results. I will keep digging!

[root@rhel8 plugins]# ./check_nrpe -H localhost
CHECK_NRPE: Error - Could not connect to ::4c3a:433a:4b3a:413a: Connection reset by peer

[root@rhel8 plugins]# ./check_nrpe -H 127.0.0.1
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 127.0.0.1: 1

[root@rhel8 plugins]# ./check_nrpe -H 127.0.0.1 -n
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

[root@rhel8 plugins]# ./check_nrpe -H localhost -n
CHECK_NRPE: Receive header underflow - only -1 bytes received (4 expected).

[root@rhel8 plugins]# ./check_nrpe -H localhost -2
CHECK_NRPE: Error - Could not connect to ::4c3a:433a:4b3a:413a: Connection reset by peer

[root@rhel8 plugins]# ./check_nrpe -H 127.0.0.1 -2
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 127.0.0.1: 1
jbmccarthy
Posts: 4
Joined: Sat Sep 21, 2019 12:59 pm

Re: check_nrpe on RHEL 8 / CentOS 8

Post by jbmccarthy »

I started downgrading openssl until I got the ./check_nrpe to work. It was after erasing crypto-policies-scripts and libssh-config that I was able to get it to work. After upgrading openssl back to current, I focused on the crypto-policies-scripts, and log story short, it is stricter policies on RHEL8 (see below links.) After setting to LEGACY, the scripts worked. The strange thing is, I had initially attempted the --ssl-version=VERSION TLSv1.2+ TLS v1.2 or above flag on check_nrpe, which should have worked on the DEFAULT setting, but for some reason it does not. Need to figure this one out so as not to be forced to use the LEGACY setting for one script.

https://access.redhat.com/articles/3666211

https://access.redhat.com/articles/3642912

What policies are provided?
Four policies are provided under the names “LEGACY”, “DEFAULT”, “FUTURE” and “FIPS”. They are summarized and described in the table below.

Policy name Description
LEGACY: This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and Diffie-Hellman parameters are accepted if larger than 1023-bits.

DEFAULT: The DEFAULT policy is a reasonable default policy for today's standards, aimed for a balance between usability and security. It allows the TLS 1.2 and 1.3 protocols, as well as IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted if larger than 2047-bits.

[root@rhel8 ~]# update-crypto-policies --show
DEFAULT

[root@rhel8 plugins]# update-crypto-policies --set LEGACY
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[root@rhel8 ~]# update-crypto-policies --show
LEGACY

After setting to LEGACY, the scripts work

[root@rhel8 plugins]# ./check_nrpe -H 127.0.0.1
5.10.0_build.992-20200923090945

root@rhel8 plugins]# ./check_sd5_storage_health
13 physical disk(s) in the system.

Intel Corporation C600/X79 series chipset 6-Port SATA AHCI Controller
-- 2 physical disk(s)
-- The status is normal.


AVAGO 3108 MegaRAID Controller
-- 11 physical disk(s)
-- The status of RAID is normal.

[root@rhel8 plugins]# ./check_sd5_health_all
Checked: 38, OK: 38.|
CPU1_Temp=36C;0;0;0;87 CPU2_Temp=44C;0;0;0;87 System_Temp=34C;0;0;0;85 Peripheral_Temp=42C;0;0;0;85 PCH_Temp=43C;0;0;0;95 P1-DIMMA1_TEMP=35C;0;0;0;85 P1-DIMMB1_TEMP=34C;0;0;0;85 P1-DIMMC1_TEMP=33C;0;0;0;85 P1-DIMMD1_TEMP=33C;0;0;0;85 P2-DIMME1_TEMP=39C;0;0;0;85 P2-DIMMF1_TEMP=39C;0;0;0;85 P2-DIMMG1_TEMP=42C;0;0;0;85 P2-DIMMH1_TEMP=44C;0;0;0;85 FAN1=3750RPM;0;0;450;13000 FAN2=3675RPM;0;0;450;13000 FAN3=3525RPM;0;0;450;13000 FAN4=3600RPM;0;0;450;13000 FAN5=3450RPM;0;0;450;13000 FANA=3825RPM;0;0;450;13000 FANB=3825RPM;0;0;450;13000 VTT=0.992V;0;0;0.864;1.392 CPU1_Vcore=0.784V;0;0;0.512;1.52 CPU2_Vcore=0.768V;0;0;0.512;1.52 VDIMM_AB=1.328V;0;0;1.152;1.696 VDIMM_CD=1.328V;0;0;1.152;1.696 VDIMM_EF=1.328V;0;0;1.152;1.696 VDIMM_GH=1.328V;0;0;1.152;1.696 +1.1_V=1.088V;0;0;0.928;1.264 +1.5_V=1.472V;0;0;1.296;1.696 3.3V=3.312V;0;0;2.784;3.792 +3.3VSB=3.36V;0;0;2.784;3.792 5V=4.992V;0;0;4.288;5.696 +5VSB=4.928V;0;0;4.288;5.696 12V=12.084V;0;0;10.494;13.568 VBAT=3.168V;0;0;2.544;3.456 Chassis_Intru=



-S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:
SSLv3 SSL v3 only
SSLv3+ SSL v3 or above
TLSv1 TLS v1 only
TLSv1+ TLS v1 or above (DEFAULT)
TLSv1.1 TLS v1.1 only
TLSv1.1+ TLS v1.1 or above
TLSv1.2 TLS v1.2 only
TLSv1.2+ TLS v1.2 or above



[root@rhel8 plugins]# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[root@rhel8 plugins]# ./check_nrpe -H 127.0.0.1 --ssl-version=TLSv1.2+
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 127.0.0.1: 1
jbmccarthy
Posts: 4
Joined: Sat Sep 21, 2019 12:59 pm

Re: check_nrpe on RHEL 8 / CentOS 8

Post by jbmccarthy »

I upgraded openssl to the latest version 1.1.1k from source following the below article, and the scripts work as expected; however, it appears that is has broken dnf and who knows what else. Spending too much time on this. Hopefully an updated version of either check_nrpe and or openssl will be released that addresses this issue.

https://www.howtoforge.com/tutorial/how ... -on-linux/
Locked