Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Trouble with NRPE after XI Upgrade

https://support.nagios.com/forum/viewtopic.php?t=55832

Page 1 of 1

Trouble with NRPE after XI Upgrade

Posted: Tue Oct 01, 2019 11:33 am
by BollaertN
I am running Nagios XI in production on a CentOS 6.9 server running XI 5.4.13

I used the backup/restore method to put it onto an Ubuntu 18.04.03 box and then updated the version to the latest version.

However, I find the new box has thousands of errors along the lines of CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with x.x.x.x!

I see that the IP of my Nagios server is in the NRPE.cfg files for these systems. So I am slightly at a loss as to how to proceed.

Re: Trouble with NRPE after XI Upgrade

Posted: Tue Oct 01, 2019 1:30 pm
by mbellerue
Are you failing to communicate with all NRPE clients? Are the servers you're trying to monitor Windows, or Linux, or just a mix of operating systems?

Re: Trouble with NRPE after XI Upgrade

Posted: Wed Oct 02, 2019 8:25 am
by BollaertN
mbellerue wrote:Are you failing to communicate with all NRPE clients? Are the servers you're trying to monitor Windows, or Linux, or just a mix of operating systems?
It is a mix, and some are working and some are not.

For example I have two linux boxes, one is working, and one does not.

The only difference I can see is the working one is running NRPE 3.2.1 and the failing one is 2.15

When I run Check_Nrpe to the failing one I get CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.1.2.154: 1

Re: Trouble with NRPE after XI Upgrade

Posted: Wed Oct 02, 2019 1:30 pm
by mbellerue
BollaertN wrote:The only difference I can see is the working one is running NRPE 3.2.1 and the failing one is 2.15

When I run Check_Nrpe to the failing one I get CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.1.2.154: 1
Ah, this starts to come together now. Looks like this was a problem in NRPE sub 3.0.1, with newer versions of OpenSSL.
https://github.com/NagiosEnterprises/nrpe/issues/113

Is it possible to update the older clients?

Re: Trouble with NRPE after XI Upgrade

Posted: Wed Oct 02, 2019 2:00 pm
by BollaertN
We're talking hundreds of clients. Is there a quicker workaround solution?

Re: Trouble with NRPE after XI Upgrade

Posted: Thu Oct 03, 2019 8:59 am
by mbellerue
Reading through the thread, it looks like if you run through the enhance security configuration for NRPE, that will allow you to work around the issue. However, that still requires touching all of the clients. The only thing that you could do server side would be to install an older version of OpenSSL, which we highly advise against. But it is an option. Our best estimate is OpenSSL pre-1.1.0.

NRPE Enhanced Security
https://support.nagios.com/kb/article.php?id=519
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited