Disabling SSL in REALLY old Nagios self compiled setup
-
- Posts: 14
- Joined: Wed Apr 19, 2017 3:21 pm
Re: Disabling SSL in REALLY old Nagios self compiled setup
This definitely has something to do with SSL and more particularly not using SSL.
So, there are two types of nagios client machines, one type has wealer ciphers enabled and another, newer type has only stronger ciphers.
the "-n" is failing on both.
With a client with weak ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H weakcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H weakcipherservername
NRPE v2.15
With a client with strong ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H strongcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H strongcipherservername
CHECK_NRPE: Error - Could not complete SSL handshake.
So, there are two types of nagios client machines, one type has wealer ciphers enabled and another, newer type has only stronger ciphers.
the "-n" is failing on both.
With a client with weak ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H weakcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H weakcipherservername
NRPE v2.15
With a client with strong ciphers:
[]# /usr/local/nagios/libexec/check_nrpe -n -H strongcipherservername
CHECK_NRPE: Error receiving data from daemon.
[]# /usr/local/nagios/libexec/check_nrpe -H strongcipherservername
CHECK_NRPE: Error - Could not complete SSL handshake.
Re: Disabling SSL in REALLY old Nagios self compiled setup
If you want to compile the NRPE Agent without SSL, you would use the following example.
You also may want to look at this KB article for making the older and newer versions of NRPE to work together.
https://support.nagios.com/kb/article.php?id=516
Code: Select all
./configure --enable-command-args --disable-ssl
https://support.nagios.com/kb/article.php?id=516
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 14
- Joined: Wed Apr 19, 2017 3:21 pm
Re: Disabling SSL in REALLY old Nagios self compiled setup
Thanks for the input. Compiling nrpe to not use ssl is not an option.
I followd the knowledgebase artice for making different nrpe's work together and got this:
~]# /usr/local/nagios/libexec/check_nrpe -2 -H strongcipherservername
/usr/local/nagios/libexec/check_nrpe: invalid option -- 2
NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
I followd the knowledgebase artice for making different nrpe's work together and got this:
~]# /usr/local/nagios/libexec/check_nrpe -2 -H strongcipherservername
/usr/local/nagios/libexec/check_nrpe: invalid option -- 2
NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
Re: Disabling SSL in REALLY old Nagios self compiled setup
I want to verify that you are using the old version of the check_nrpe (Version 2.15) and you want to connect to the new 3.x.x NRPE Agent, is that correct?
Can you post your nrpe.cfg file from one of the system using the new NRPE Agent?
Also, can you check the /var/log/messages file for any errors when you run the check_nrpe test and post them as well.
What OS and release is the system running you are trying to install the Agent on?
Can you post your nrpe.cfg file from one of the system using the new NRPE Agent?
Also, can you check the /var/log/messages file for any errors when you run the check_nrpe test and post them as well.
What OS and release is the system running you are trying to install the Agent on?
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 14
- Joined: Wed Apr 19, 2017 3:21 pm
Re: Disabling SSL in REALLY old Nagios self compiled setup
I think that the Nagios server check_nrpe version is 2.12
the nrpe.cfg file is at: https://pastebin.com/8dmUnfBL
nothing in /var/log/messages on the Nagios server
Nagios server:
[lnxvm02:~]# uname -a
Linux 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 i386 GNU/Linux
Nagios client:
Linux 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 x86_64 GNU/Linux
the nrpe.cfg file is at: https://pastebin.com/8dmUnfBL
nothing in /var/log/messages on the Nagios server
Nagios server:
[lnxvm02:~]# uname -a
Linux 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 i386 GNU/Linux
Nagios client:
Linux 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 x86_64 GNU/Linux
-
- Posts: 14
- Joined: Wed Apr 19, 2017 3:21 pm
Re: Disabling SSL in REALLY old Nagios self compiled setup
I guess compiling NRPE w/o SSL is an option on the new strong cipher servers, and the Nagios server is able to connect using the -n switch.
How do I modify the Nagios configuration file to pass the "-n" switch to ONLY those new strong cipher servers?
current checks look like this:
###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################
#### Server template ####
define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}
# Disk checking definitions
define service{
use generic-servername
service_description root
check_command check_nrpe!check_root
}
define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot
}
define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp
How do I modify the Nagios configuration file to pass the "-n" switch to ONLY those new strong cipher servers?
current checks look like this:
###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################
#### Server template ####
define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}
# Disk checking definitions
define service{
use generic-servername
service_description root
check_command check_nrpe!check_root
}
define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot
}
define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp
Re: Disabling SSL in REALLY old Nagios self compiled setup
Please post your command definition for check_nrpe so that we can help you adjust them.
Thank you
Thank you
-
- Posts: 14
- Joined: Wed Apr 19, 2017 3:21 pm
Re: Disabling SSL in REALLY old Nagios self compiled setup
Some Nagios clients are fine with SSL enabled while it is disabled on others.
-
- Posts: 14
- Joined: Wed Apr 19, 2017 3:21 pm
Re: Disabling SSL in REALLY old Nagios self compiled setup
commands.cfg attached
- Attachments
-
- commands.cfg
- (8.42 KiB) Downloaded 324 times
Re: Disabling SSL in REALLY old Nagios self compiled setup
Try this:
Code: Select all
###############################################################################
# SERVICE DEFINITIONS - servername
###############################################################################
#### Server template ####
define service{
name generic-servername
use generic-service
host_name servername
contact_groups UNIX_admins
register 0
}
# Disk checking definitions
define service{
use generic-servername
service_description root
check_command check_nrpe!check_root -n
}
define service{
use generic-servername
service_description boot
check_command check_nrpe!check_boot -n
}
define service{
use generic-servername
service_description tmp
check_command check_nrpe!check_tmp -n