Nagios Support Forum

When I install a new NRDS client, then try to run the nrds.pl in nagios user's crontab, I get the following:
[nagios@server ~]$ /usr/local/nrdp/clients/nrds/nrds.pl -H 'server'
ERROR: could not connect to NRDP server at https://nagiosxi/nrdp/

Existing clients are still working fine.
If I change the URL in the nrds.cfg from https to http on a new client, it can connect.

I am fairly certain this started after upgrading to Nagios XI 5.2.0.

The only thing that I can think is that there is a firewall blocking it (443) or you are using a self-signed certificate and haven't imported the CA certificate into the client.

No firewall here. Can you point me to details about the self-signed certificate ? And ware you referring to the nrds clients? This would be something related to my recent upgrade as I did not initially do any sort of ssl setup or certificate installation or import on my existing nrds clients (all of which are still working) Its new/updated clients that cannot connect via ssl.

Please post the OS details (distro/version) of a working one and a non-working one as they may be setup differently and we can go from there.

As an example, I have 2 RHEL 6 machines (A and B) , both were working fine. I created a new NRDS config file on my server, then from the A machine I ran through the install instructions for the new NRDS config, i.e. wget config file, untar, run installnrds hostname interval. Since doing this on the A machine, It cannot connnect to the NRDP server via https. I get:

ERROR: could not connect to NRDP server at https://nagiosxiserver/nrdp/

The B machine still works fine, it sill has the older versions of send_nrdp as I did not update the client. I manually updated the nrds.cfg file on the B machine and it still works fine via https. I get:
Sent 5 checks to https://nagiosxiserver/nrdp/

These are identical machines, built from the same Satellite kickstart and are both running the same application.

To check if it's a certificate issue run this command from the new client:
If it gives an SSL certificate verification error then that's the issue.

OK, so curl fails from both machines, even though the machine with the older nrds client still works. So the newer client must enforce certificates differently.
Can someone point me to the doc on how to resolve this.


[Bmachine ~]# curl "https://nagiosxiserver/nrdp/"
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Try updating the ca-certificates package on your RHEL boxes as outlined here:

https://access.redhat.com/solutions/523823

I still need to resolve this issue. I checked our currently installed ca-certificates package and it is newer than the one suggested in the above fix.

[root@nagiosxi conf.d]# yum list installed ca-certificates
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
Installed Packages
ca-certificates.noarch 2014.1.98-65.1.el6

However, when I run the following, it indicates "Remote Certificate has expired"
[root@nagiosxi ~]# curl -v https://nagiosxi
* About to connect() to nagiosxi port 443 (#0)
* Trying 10.204.240.199... connected
* Connected to nagiosxi (10.204.240.199) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

Let's check out the certificate. What is the output from this command?