Page 1 of 1
Issue connecting to agent on Mac OS
Posted: Mon Nov 01, 2021 8:19 am
by pturner75
I have a new install, and am trying to deploy the agent to Mac OS system. The agent will deploy, but when I try to run the wizard, it gives a "Could not connect to host" error. When I run the check_ncpa.py command from the CLI, with the correct IP and token, I get
UNKNOWN: An error occured connecting to API. (Connection error: '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1131)')
I have several other devices being monitored and they are fine. The issue is when I try to add an agent to a Mac system.
Linux Distribution and version? Ubuntu 20.04.3
32 or 64bit? 64 bit
VMware Image or Manual Install of XI? Manual install
Are there special configurations on your system, ie;
is Gnome installed? No
Are you using a proxy? No
Are you using SSL? no
On Nagios server:
root@nagios:/usr/local/nagios/libexec# ./check_ncpa.py -H 10.2.95.250 -t <token redacted> --list
UNKNOWN: An error occured connecting to API. (Connection error: '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1131)')
On target server:
deviceconnect@Alpha-3 log % ps -ef |grep ncpa
502 65046 1 0 8:27AM ?? 0:00.46 /usr/local/ncpa/ncpa_passive -n
502 65112 1 0 8:27AM ?? 0:00.46 /usr/local/ncpa/ncpa_listener -n
NCPA plugin version is 2.3.1 (latest)
Verified the tokens match between server and target.
Target is running Mac Big Sur 11.2.3
Re: Issue connecting to agent on Mac OS
Posted: Mon Nov 01, 2021 2:41 pm
by kfanselow
Hi pturner75,
The first thing thing to do is double check the firewall on your Mac system and ensure that access to port 5693 is allowed from your Nagios XI server.
https://support.apple.com/guide/mac-hel ... 0/mac/11.0
Second, using telnet, could you verify that you're able to establish a socket connection on port 5693 from your XI server ?
The string "Escape character is '^]'." indicates that you were able to successfully establish a socket connection.
If you are able to establish a socket connection try connecting from the XI server using curl:
Code: Select all
curl -ik https://MAC-IP-ADDRESS:5693
You should see a 302 redirect message.
After these tests please send the following files from your Mac system to me via PM and we can take a look:
Code: Select all
/usr/local/ncpa/var/log/ncpa_listener.log
/usr/local/ncpa/etc/ncpa.cfg
Thanks and Best Regards,
Keith
Re: Issue connecting to agent on Mac OS
Posted: Tue Nov 02, 2021 6:31 am
by pturner75
Firewall is verified as being off. Screenshot of firewall, log, and config attached.
Connection attempts from the Nagios server itself:
phil@nagios:~$ telnet 10.2.95.250 5693
Trying 10.2.95.250...
Connected to 10.2.95.250.
Escape character is '^]'.
^]
telnet> q
Connection closed.
phil@nagios:~$ curl -ik
https://10.2.95.250:5693
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
phil@nagios:~$
Re: Issue connecting to agent on Mac OS
Posted: Tue Nov 02, 2021 6:37 am
by pturner75
Unable to send files as PM
"We are sorry, but you are not authorised to use this feature. You may have just registered here and may need to participate more to be able to use this feature."
Re: Issue connecting to agent on Mac OS
Posted: Tue Nov 02, 2021 6:43 am
by pturner75
If I try to connect from another Mac system through the web browser with
https://10.2.95.250:5693/testconnect/?token=<token redacted> . I get the expected Success message
{
"value": "Success."
}
So the listener is running and accepting connections, it just can't connect from the Nagios server.
Re: Issue connecting to agent on Mac OS
Posted: Tue Nov 02, 2021 7:03 am
by pturner75
From Nagios server:
phil@nagios:/usr/local/nagiosxi/var$ curl -vik
https://10.2.95.250:5693/api/system/age ... ken=<token redacted>
* Trying 10.2.95.250:5693...
* TCP_NODELAY set
* Connected to 10.2.95.250 (10.2.95.250) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
* Closing connection 0
curl: (35) error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
And connecting to the gui interface on the client at 10.2.95.250 using
https://10.2.95.250:5693/gui/admin
I can see that SSL is TLSv1.2. It looks like it's a TLS mismatch the the server isn't stepping down to TLSv1.2
Re: Issue connecting to agent on Mac OS
Posted: Tue Nov 02, 2021 7:25 am
by pturner75
Found the root cause. Nagios server is apparently enforcing the TLS version. I created a file called 'openssl_allow_tls1.0.cnf" in my home directory and put the following in it.
Code: Select all
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
I then ran
Code: Select all
export OPENSSL_CONF=~/openssl_allow_tls1.0.cnf
Running curl -ik
https://10.2.95.250:5693
I then received the expected 302 redirect response.
Code: Select all
HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 219
Location: https://10.2.95.250:5693/login
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Set-Cookie: session=eyJyZWRpcmVjdCI6Imh0dHBzOi8vMTAuMi45NS4yNTA6NTY5My8ifQ.FGK_Vw.7tbyB9TF2fw1Bgf3hRZAePkNtE0; Secure; HttpOnly; Path=/
Date: Tue, 02 Nov 2021 12:23:51 GMT
Re: Issue connecting to agent on Mac OS
Posted: Tue Nov 02, 2021 7:58 am
by pturner75
Functioning workaround/fix is as follows
On the Nagios Server: (Ubuntu 20.04 server)
Edit /etc/ssl/openssl.cnf
Add the following at the top of the file:
Add the following at the end of the file:
Code: Select all
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1
Save the file and reboot the server.
I'm now able to access the NCPA plugin on the Mac systems.
It looks like TLS is falling back to 1.0 when trying to connect, which was deprecated out in Ubuntu 20.04.
When I made the testing changes I detailed in a previous post, curl -v showed the following info
Code: Select all
phil@nagios:~$ curl -vik https://10.2.95.250:5693
* Trying 10.2.95.250:5693...
* TCP_NODELAY set
* Connected to 10.2.95.250 (10.2.95.250) port 5693 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Minnesota; L=St. Paul; O=Nagios Enterprises, LLC; OU=Development; CN=Alpha-3.local
* start date: Nov 1 12:27:34 2021 GMT
* expire date: Oct 30 12:27:34 2031 GMT
Re: Issue connecting to agent on Mac OS
Posted: Wed Nov 03, 2021 11:24 am
by kfanselow
Hi pturner75,
I'm sorry for the latency in our reply but excellent job diagnosing the problem. We've started to see a number of cases where TLS 1.0 and TLS 1.1 are being deprecated by providers. I will add this information to our internal discussion on the subject. Thanks !!!
Thanks and Best Regards,
Keith