Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

OpenSSL || NRPE || Nagios XI Version Compatibility

https://support.nagios.com/forum/viewtopic.php?t=54292

Page 1 of 1

OpenSSL || NRPE || Nagios XI Version Compatibility

Posted: Wed Jun 12, 2019 12:22 pm
by awilson
Hi. We are running Nagios XI 5.4.4, nrpe 3.2.1, and openssl 1.0.2k-fips 26 Jan 2017 on a Redhat 7 server. We are getting ssl handshake errors when attempting service checks. I'm confirming with the security team to see if they made any recent changes. The checks on the server started generating errors yesterday.

The remote server's nrpe is compiled with SSL enabled. We've tried the service check using check_nrpe using the "-n" parameter and without it.

The Nagios host check_nrpe is 2.15

Code: Select all

[nagios@nagioshost libexec]$ ./check_nrpe --help

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
//snip
Service check w/o -n flag
~~~~~~~~~~~~~~~~~~~~
[nagios@nagioshost ~]$ /usr/local/nagios/libexec/check_nrpe -H remote ip -t 30 -c check_disk -a '-w 90 -c 95 -p /'
CHECK_NRPE: Error - Could not complete SSL handshake.

Code: Select all

[nagios@nagioshost ~]$ /usr/local/nagios/libexec/check_nrpe -H remote ip -t 30 -c check_disk -a -n '-w 90 -c 95 -p /'

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
//snip
Remote server software versions
~~~~~~~~~~~~

Code: Select all

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)

$ nrpe --version
NRPE - Nagios Remote Plugin Executor
Version: 3.2.1

NRPE - Nagios Remote Plugin Executor
Version: 3.2.1

Copyright (c) 2009-2017 Nagios Enterprises
              1999-2008 Ethan Galstad ([email protected])

Last Modified: 2017-09-01

License: GPL v2 with exemptions (-l for more info)

SSL/TLS Available, OpenSSL 0.9.6 or higher required


[nagios@host ~]
$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[nagios@host ~]
Thanks

Re: OpenSSL || NRPE || Nagios XI Version Compatibility

Posted: Wed Jun 12, 2019 12:41 pm
by lmiltchev
Did you forget to add the Nagios XI server's IP address to the nrpe.cfg on the client machine, and restart NRPE?

Example:

Code: Select all

allowed_hosts=127.0.0.1,x.x.x.x
where you substitute x.x.x.x with the actual IP address of your Nagios XI server.

Note: The example above describes a case, where NRPE is run as a standalone daemon. If NRPE is running under xinetd, you will need to modify the /etc/xinetd.d/nrpe file, and restart xinetd, so that changes can take effect.

Re: OpenSSL || NRPE || Nagios XI Version Compatibility

Posted: Wed Jun 12, 2019 5:13 pm
by awilson
This is in /etc/xinetd.d/nrpe. We are using xinetd

Code: Select all

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
        flags                = REUSE
        socket_type     = stream
        port                 = 5666
        wait                 = no
        user                 = nagios
        group               = nagios
        server              = /usr/local/nagios/bin/nrpe
        server_args      = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable            = no
        only_from = 127.0.0.1 10.10.83.90 10.10.83.97
}

Re: OpenSSL || NRPE || Nagios XI Version Compatibility

Posted: Thu Jun 13, 2019 9:32 am
by lmiltchev
Can you confirm that your Nagios XI server's IP is one of the two IPs listed in the /etc/xinetd.d/nrpe file on the client (10.10.83.90 or 10.10.83.97)?

Run the following command on your Nagios XI server, and show the output:

Code: Select all

ip addr
Even though, this issue is not very common, you may be hitting the maximum connection limit of NRPE. Try adding the following two lines to the /etc/xinetd.d/nrpe file:

Code: Select all

per_source = UNLIMITED
instances = UNLIMITED
as described here, and restart xinetd:

Code: Select all

service xinetd restart
Let's see the output of the following commands too:

On the client (remote machine):

Code: Select all

netstat -an | grep nrpe
ps axuw | grep nrpe
/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1
On the Nagios XI server:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H <client ip>
nmap <client ip> -p 5666

Re: OpenSSL || NRPE || Nagios XI Version Compatibility

Posted: Thu Jun 13, 2019 12:32 pm
by awilson
As my father-in-law used to say when I missed a putt, "I must have not been holding my mouth right." //smile

It is working properly now. I guess that the sequence of asking the admin to restart xinetd and our updates didn't sync correctly.

Thanks for your help. You can close it now.

If I hear hoofbeats, think horses instead of zebras. //smile

Re: OpenSSL || NRPE || Nagios XI Version Compatibility

Posted: Thu Jun 13, 2019 12:44 pm
by lmiltchev
:) :) :) I am glad I was able to help!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited