Hi,
We moved Nagios XI 5.11.2 from CentOS 7 to RHEL 8 (also tried CentOS Stream 9 with same result) an ran into NRPE SSL errors. We monitor 100+ hosts so there is no quick solution on the client side. What can we do to solve this issue, preferably on the XI-server?
Please see error messages from the XI servers:
nagios[2127]: SERVICE ALERT: **FQDN-HOSTNAME**;Open Files;CRITICAL;SOFT;4;CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.1.10
check_nrpe[3624]: Error: (!log_opts) Could not complete SSL handshake with 10.0.0.11: dh key too small
SSL Errors after restore
Re: SSL Errors after restore
Hi @Narie, thanks for reaching out.
This post, might help you.
Hope this helps! For future reference, if you would like an immediate response please consider our Support Plan.
This post, might help you.
Hope this helps! For future reference, if you would like an immediate response please consider our Support Plan.
Please let us know if you have any other questions or concerns.
-Laura
-Laura
-
RocketBoy01
- Posts: 1
- Joined: Thu Nov 02, 2023 6:56 pm
Re: SSL Errors after restore
That is a very weak response from Nagios to what is a very well known issue.
The problem here is that you are most likely using NSClient++ that was working before using a DH key size of 512, newer versions of Linux create a 2048 bit size and so the two are incompatible.
The fun part is that there is no simple way to resolve this which is why no one will give you a straight answer. Im sure you have already checked the allowed hosts directive in NSClient++ and probably used the same IP for the new server.
The only workable solution I have found to this is to give up on NRPE/NSClient++ and move all of your checks over to NCPA. I have been working through this process for weeks already as I have THOUSANDS of hosts to remedy and build new checks for. I could have modified the DH key size and pushed to the existing hosts but that would just be kicking the can further down the road and the problem would still be hiding in the background.
I have a bunch of licenses to renew at the moment and Im seriously considering other platforms instead due to the lack of transparency or solutions offered by Nagios on what is a very well known issue. A quick Google search will show how many people have experienced the same thing.
The problem here is that you are most likely using NSClient++ that was working before using a DH key size of 512, newer versions of Linux create a 2048 bit size and so the two are incompatible.
The fun part is that there is no simple way to resolve this which is why no one will give you a straight answer. Im sure you have already checked the allowed hosts directive in NSClient++ and probably used the same IP for the new server.
The only workable solution I have found to this is to give up on NRPE/NSClient++ and move all of your checks over to NCPA. I have been working through this process for weeks already as I have THOUSANDS of hosts to remedy and build new checks for. I could have modified the DH key size and pushed to the existing hosts but that would just be kicking the can further down the road and the problem would still be hiding in the background.
I have a bunch of licenses to renew at the moment and Im seriously considering other platforms instead due to the lack of transparency or solutions offered by Nagios on what is a very well known issue. A quick Google search will show how many people have experienced the same thing.
Re: SSL Errors after restore
Sorry for this late response, I wasn't aware of the long lasting issue, and the fact that Nagios is lacking transparency and service. So we are reconsidering Nagios XI at the moment...
-
danderson
Re: SSL Errors after restore
A quick Google Search has brought up the following link I believe might be helpful if you decide to replace the DH key size like @RocketBoy01 mentioned.
https://support.nagios.com/kb/article/o ... t-901.html
https://support.nagios.com/kb/article/o ... t-901.html