Nagios Support Forum

nihvel wrote:I only have one more question:
How come if I edit nrpe.cfg with the path of certificates, the command ./check_nrpe -H ip -c command does not work resulting in an ssl handshake error, and when I send the command with certificates option included, it does?

jfrickson wrote:check_nrpe does not read the nrpe.cfg. It only uses command-line arguments. That might explain some of your problems if you were expecting check_nrpe to use what is in the config file.

jfrickson wrote:

nihvel wrote:I only have one more question:
How come if I edit nrpe.cfg with the path of certificates, the command ./check_nrpe -H ip -c command does not work resulting in an ssl handshake error, and when I send the command with certificates option included, it does?

check_nrpe does not read the nrpe.cfg. It only uses command-line arguments. That might explain some of your problems if you were expecting check_nrpe to use what is in the config file.

nihvel wrote:Ok, two more questions:
I know that this is silly but I need to report everything to colleagues. I can't see crypted packets from wireshark. How can I check and really show to them that the connection is ciphered? Because just sayin "it use certificate trust me it is" does not help me. I need to show that it really is. And wireshark is not helping me because all I see is TCP. Ok that a few "plain text" packages there will always be, but I do not see any tls/ssl

Two things you can tell them. First, all NRPE communication between the client and the server is plain text. If you run a check_load command, the output will be something like

Code: Select all

OK - load average: 0.09, 0.16, 0.14|load1=0.090;0.750;1.500;0; load5=0.160;0.500;1.250;0; load15=0.140;0.250;1.000;0;

If you don't see any packets with that kind of text, then it's encrypted.

Second, if you have ssl_logging=0x2f turned on in the nrpe.cfg file and -s 0x2f on the check_nrpe command line, syslog will tell you. For example, below is the log entries from a check I ran. Notice in particular the line Remote - TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384. That says it's communicating using TLSv1/SSLv3 and the connection is encrypted with the cipher DHE-RSA-AES256-GCM-SHA384. The RSA part indicates it's public-key encryption. AES256 means it's using 256-bit AES encryption. SHA384 means it's using a 384-bit SHA hash. The details of both the client and server certificates is also shown.

Code: Select all

2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Certificate File: /usr/local/nagios/etc/ssl/client_certs/nag_serv.pem
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Private Key File: /usr/local/nagios/etc/ssl/client_certs/nag_serv.key
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL CA Certificate File: /usr/local/nagios/etc/ssl/ca/ca_cert.pem
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Cipher List: ALL:!MD5:@STRENGTH
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Allow ADH: Allow
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Log Options: 0xff
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL Version: TLSv1_plus And Above
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Connected to 127.0.0.1
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Certificate File: /usr/local/nagios/etc/ssl/server_certs/db_server.pem
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Private Key File: /usr/local/nagios/etc/ssl/server_certs/db_server.key
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL CA Certificate File: /usr/local/nagios/etc/ssl/ca/ca_cert.pem
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Cipher List: ALL:!MD5:@STRENGTH
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Allow ADH: Allow
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Client Certs: Require
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Log Options: 0x2f
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Version: TLSv1 And Above
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: Remote  - SSL Version: TLSv1.2
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: Remote  - TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Client  Cert Name: /C=US/ST=Minnesota/O=Internet Widgits Pty Ltd/OU=IT/CN=nag_serv/[email protected]
2015-12-23T09:08:37-0600 linux-jtgl nrpe[14071]: SSL Client  Cert Issuer: /C=US/ST=Minnesota/L=St. Paul/O=Internet Widgits Pty Ltd/OU=IWP Certificate Authority/CN=IPW Nagios CA/[email protected]
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Remote 127.0.0.1 - SSL Version: TLSv1.2
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Remote 127.0.0.1 - TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL 127.0.0.1 has a valid certificate
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL 127.0.0.1 Cert Name: /C=US/ST=Minnesota/O=Internet Widgits Pty Ltd/OU=IT/CN=db_server/[email protected]
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: SSL 127.0.0.1 Cert Issuer: /C=US/ST=Minnesota/L=St. Paul/O=Internet Widgits Pty Ltd/OU=IWP Certificate Authority/CN=IPW Nagios CA/[email protected]
2015-12-23T09:08:37-0600 linux-jtgl check_nrpe[14070]: Remote 127.0.0.1 accepted a Version 3 Packet

That should satisfy them.

Box293 wrote:

nihvel wrote:I only have one more question:
How come if I edit nrpe.cfg with the path of certificates, the command ./check_nrpe -H ip -c command does not work resulting in an ssl handshake error, and when I send the command with certificates option included, it does?

jfrickson wrote:check_nrpe does not read the nrpe.cfg. It only uses command-line arguments. That might explain some of your problems if you were expecting check_nrpe to use what is in the config file.

I created a request on GitHub for the check_nrpe plugin to be able to use a config file:
https://github.com/NagiosEnterprises/nrpe/issues/34

hsmith wrote:Merry Christmas to you as well. Is this one working for you yet? Looking through this I can't tell for sure if it is resolved or not.