Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

NSclient SSL errors with SSL disabled

https://support.nagios.com/forum/viewtopic.php?t=61159

Page 1 of 1

NSclient SSL errors with SSL disabled

Posted: Tue Jan 05, 2021 9:58 am
by hilly
I've been upgrading to a newer version (0.5.2.35) of the NSClient++ on the Windows servers we monitor. Initially I need to get the clients communicating without using SSL. My nsclient.ini looks like this:

Code: Select all

[/settings/default]
allowed hosts = 172.16.5.1

[/settings/log]
file name nsclient-debug.log
level = debug
verify mode = none
insecure = true

[/modules]
CheckExternalScripts = disabled
CheckHelpers = disabled
CheckEventLog = disabled
CheckNSCP = disabled
CheckDisk = enabled
CheckSystem = enabled
NSClientServer = enabled
NRPEServer = enabled

[settings/NRPE/server]
use ssl = false
allow arguments = true
allow nasty characters = true
allowed hosts = 172.16.5.1
port = 5666
insecure = true
verify mode = none
Note the "use ssl = false"

To test I run a quick command line from the Nagios server (Debian) with the "-n" option to disable server side SSL:

Code: Select all

root@monitor:/usr/local/nagios/libexec# ./check_nrpe -H 172.16.7.11 -n -4 -p 5666
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).
Checking the NSClient log on the Windows server I see this:

Code: Select all

2021-01-05 08:39:25: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 172.16.5.1, count=1
2021-01-05 08:39:25: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol
2021-01-05 08:39:25: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.
What gives? I've got SSL disabled in the INI file, and I'm disabling it on the command line check, but the log is telling me that the other end is not using SSL, that the protocol is "unknown", and not sending any reply data.

A few other notes:
check_nt commands work fine without SSL
I've installed the latest check_nrpe plugin with no change

I need to get this solved before the new Windows servers go live. I'd appreciate any thoughts anyone might have.

Re: NSclient SSL errors with SSL disabled

Posted: Tue Jan 05, 2021 11:19 am
by gormank
Nrpe on the nagios server is the initiator and nsclient is the listener. Change the args to check_nrpe to disable SSL and I think that will fix things.

Re: NSclient SSL errors with SSL disabled

Posted: Tue Jan 05, 2021 12:26 pm
by hilly
Disabling SSL in check_nrpe is in the command line I listed. It's the "-n", which is the short form of "--no-ssl"

root@monitor:/usr/local/nagios/libexec# ./check_nrpe -H 172.16.7.11 -n -4 -p 5666

Re: NSclient SSL errors with SSL disabled

Posted: Tue Jan 05, 2021 1:52 pm
by gormank
Sorry,
I somehow missed that, and the windows side is even complaining about SSL being disabled on the nrpe side. It's not what you want but maybe enable it? Or try disabled instead of false?

Re: NSclient SSL errors with SSL disabled

Posted: Tue Jan 05, 2021 4:41 pm
by hilly
No worries, that little "-n" is easy to miss.

Everything else I have using legacy clients works without SSL. Also, my requirements for this project are to not use SSL.
I just can't figure out why it is apparently ignoring the "use ssl = false" directive.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited