Page 1 of 1
NRPE SSL configuration
Posted: Fri Oct 13, 2017 10:02 pm
by almace
After working through this:
https://support.nagios.com/kb/article.php?id=519, I've got certificates on both my nagios server and my test web host running Centos 7. With this configuration, I am able to get a successful return from check_nrpe:
Code: Select all
# SSL USE CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates (default)
# 1 = Ask for client certificates
# 2 = Require client certificates
ssl_client_certs=0
However, as soon as I set that option to 2 and restart the service to force the use of my SSL certificates, I start getting the following from my nagios server:
Code: Select all
/usr/local/nagios/libexec/check_nrpe -H <ip>
CHECK_NRPE: Error - Could not complete SSL handshake.
Any ideas where the breakdown might be? I've searched around a bit on the forums before posting this but I've not found any solutions that worked.
Thank you.
Re: NRPE SSL configuration
Posted: Mon Oct 16, 2017 1:02 pm
by npolovenko
Hello,
@almace.
Is your core running under xinetd or as a standalone service?
Copy his whole command and try to run it from the Nagios Servers command line. But replace the IP address with your Client's IP address(where NRPE is installed).
Code: Select all
/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 102.123.12.21
And post the output here.
Re: NRPE SSL configuration
Posted: Tue Oct 17, 2017 3:15 pm
by almace
My core installation is a standalone service.
That command isn't supported on my core server:
Code: Select all
/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 107.170.29.197
/usr/local/nagios/libexec/check_nrpe: invalid option -- 'A'
/usr/local/nagios/libexec/check_nrpe: invalid option -- 'C'
/usr/local/nagios/libexec/check_nrpe: invalid option -- 'K'
NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
Usage: check_nrpe -H <host> [ -b <bindaddr> ] [-4] [-6] [-n] [-u] [-p <port>] [-t <timeout>] [-c <command>] [-a <arglist...>]
Options:
-n = Do no use SSL
-u = Make socket timeouts return an UNKNOWN state instead of CRITICAL
<host> = The address of the host running the NRPE daemon
<bindaddr> = bind to local address
-4 = user ipv4 only
-6 = user ipv6 only
[port] = The port on which the daemon is running (default=5666)
[timeout] = Number of seconds before connection times out (default=10)
[command] = The name of the command that the remote daemon should run
[arglist] = Optional arguments that should be passed to the command. Multiple
arguments should be separated by a space. If provided, this must be
the last option supplied on the command line.
Note:
This plugin requires that you have the NRPE daemon running on the remote host.
You must also have configured the daemon to associate a specific plugin command
with the [command] option you are specifying here. Upon receipt of the
[command] argument, the NRPE daemon will run the appropriate plugin command and
send the plugin output and return code back to *this* plugin. This allows you
to execute plugins on remote hosts and 'fake' the results to make Nagios think
the plugin is being run locally.
Re: NRPE SSL configuration
Posted: Tue Oct 17, 2017 3:45 pm
by dwasswa
Hi
@ almace ,
I see you have a
CHECK_NRPE: Error - Could Not Complete SSL Handshake error.
Follow this guide to solve that issue.
Could Not Complete SSL Handshake
Re: NRPE SSL configuration
Posted: Tue Oct 17, 2017 3:51 pm
by almace
I did some digging on this and I was actually several versions back on NRPE. I installed the latest version and I am now able to connect to the test device:
Code: Select all
/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 107.170.29.197
NRPE v3.1.1
This thread can be closed.
Thank you for the assistance.
Re: NRPE SSL configuration
Posted: Tue Oct 17, 2017 4:04 pm
by npolovenko
That's great! And remember to change your check nrpe command in XI to pass the certificates as well.
to
Code: Select all
$USER1$/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
Closing the topic.