Can Not Connect to NRDP Server

[mikew]

I am working on a Nagios XI install using NRDS for Linux, AIX, Sun, etc. One problem related to all of the servers is that the install functions fine, the configs are pulled down the plugins update but when the nrds.pl run as nagios sends this error:

Could Not Connect to NRDP Server at https://xxxxx


Additional Info:
* originally they were set up to talk to http but the config was changed in the NRDS interface and the proper config has pulled down to the host.
* firewall is open on Nagios and between the hosts
* tcpdump shows the Linux hosts talking on 443 and returning info on a high port
* no errors recorded in /var/log/httpd/access_log
* no errors recorded in /var/log/httpd/ssl_error_log or error_log
* cron is running normally on hosts
* manually push ends with same errors as root or user nagios
* cur -k https://nagios_ip/nrdp/ works
* nothing showing up in unconfigured objects

It just does not update the configs

[sreinhardt]

To start things off, and at the risk of the curl command already somewhat stating it isn't an issue. What version of openssl are you running on the clients and server? Also what ssl\tls versions do you have allowed within the servers nrdp configurations? I only ask due to the fun times that openssl has bestowed upon us with breaking anything prior to sslv3 if there is a <1.0.0 vs 1.0.1 difference between the clients and servers.

[mikew]

Here are the current versions of the Nagios server and the Linux and AIX boxes to be monitored....all have broken once they were moved to https.


Nagios openssl-1.0.1e-16.el6_5.4.x86_64

LINUX openssl-0.9.8e-22.el5_8.3
LINUX openssl-1.0.0-27.el6_4.2.x86_64
AIX openssl.base 0.9.8.2400

They all worked with http

[sreinhardt]

I think, big key word there of think, we have found a winner. In case you are not aware with the nsa issues the openssl group decided to break backwards compatibility with a large number of ciphers on newer versions of openssl. Specifically the only one that I know does work between 0.9.8-1.0.0+ and 1.0.1 is SSLv3. It would make sense that it works over http, as ssl would not play a part in it. However as soon as you move to https and openssl gets involved we are going to have troubles. It is likely as easy as forcing apache to only use sslv3 with aes. The securing nagios servers talk I gave last year should cover it in some detail, but I can do some digging and test it out myself too if you would like.

[mikew]

We installed the exact same versions of openssl on Nagios and Linux host but still get the same error that it cannot connect to the NRDP server.

The issue has to be related to setting it up as http and then making a change to https, like something on the Nagios box does not allow the connection. I have set up another test box and https from the start and it worked perfectly but the current set up fails.

[scottwilkerson]

What version of the NRDS componet are you running? I ask because there was an issue with older versions and self-signed certificates.

[mikew]

This is the latest version. I remember the issue with the older version and that was one of the first things we checked.

[scottwilkerson]

In the

Could Not Connect to NRDP Server at https://xxxxx

Does this actually look like the following?

Code: Select all

Could Not Connect to NRDP Server at https://xxxxx/nrdp/

I know this is a simple question, but just covering all bases...

[mikew]

Yes...here is the actual line:
ERROR: could not connect to NRDP server at https://1.1.0.1/nrdp/

So the only other thing I can think of is we installed mod_ssl as we were considering forcing the Nagios server to only talk on 443. Every edit we made has been changed back to the original and we have gone over this time after time. It has to be something that occurred on the Nagios box, either a setting that was changed or a file that was altered in some way.

We restored to original settings:
Admin/System Config/Manage System Config -- > http
/usr/local/nagiosxi/html/config.inc.php --> false for the setting to force https
no redirect options in the https.conf file
NagiosQL setting for https was returned to http

[scottwilkerson]

Did something change in /etc/httpd/conf.d/nrdp.conf ?

Out of curiosity, if you run the following from the Linux host do you see the HTML output

Code: Select all

curl --insecure https://1.1.0.1/nrdp/