NRPE is not connecting via Nagios site

[dirhea]

Hi,

I have installed Nagios Core on a machine and am trying to setup monitoring of Linux machines.

NRPE has been setup on both the monitoring server and also the other machines as per this guide
https://assets.nagios.com/downloads/nag ... e/NRPE.pdf

Testing the connection from the command line with using something like
/usr/local/nagios/libexec/check_nrpe -H <ip-address>
works fine and returns the version
Likewise running the command for server load, returns as expected the server load

I have then gone on to setting up the commands on the Nagios Core as specified in the guide
for example in commands.cfg
define command{
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

and then in the service definition file for the host for example
define service{
use generic-service
host_name remotehost
service_description CPU Load
check_command check_nrpe!check_load
}

Checking the config file was successful and restarting Nagios restarts the site with no issues however the monitor is not returning the results, instead it is saying

Error: the client certificate and the private key must both be given or neither

Incorrect command line arguments supplied

NRPE Plugin for Nagios
Version: 4.1.3

Copyright (c) 2009-2017 Nagios Enterprises
1999-2008 Ethan Galstad ([email protected])

Last Modified: 2024-12-10

License: GPL v2 with exemptions (-l for more info)

SSL/TLS Available: OpenSSL 0.9.6 or higher required

Usage: check_nrpe -H <host> [-2] [-3] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]
[-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]
[-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]
[-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]
[-c <command>] [-E] [-D] [-a <arglist...>]

Options:
-H, --host=HOST The address of the host running the NRPE daemon
-2, --v2-packets-only Only use version 2 packets, not version 3/4
-3, --v3-packets-only Only use version 3 packets, not version 4
-4, --ipv4 Bind to ipv4 only
-6, --ipv6 Bind to ipv6 only
-n, --no-ssl Do no use SSL
-u, --unknown-timeout Make connection problems return UNKNOWN instead of CRITICAL
-V, --version Print version info and quit
-l, --license Show license
-E, --stderr-to-stdout Redirect stderr to stdout
-d, --use-adh=DHOPT Anonymous Diffie Hellman use:
0 Don't use Anonymous Diffie Hellman
(This will be the default in a future release.)
1 Allow Anonymous Diffie Hellman (default)
2 Force Anonymous Diffie Hellman
-D, --disable-syslog Disable logging to syslog facilities
-P, --payload-size=SIZE Specify non-default payload size for NSClient++
-S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:
TLSv1 TLS v1 only
TLSv1+ TLS v1 or above (DEFAULT)
TLSv1.1 TLS v1.1 only
TLSv1.1+ TLS v1.1 or above
TLSv1.2 TLS v1.2 only
TLSv1.2+ TLS v1.2 or above
-L, --cipher-list=LIST The list of SSL ciphers to use (currently defaults
to "ALL:!MD5:@STRENGTH:@SECLEVEL=0". THIS WILL change in a future release.)
-C, --client-cert=FILE The client certificate to use for PKI
-K, --key-file=FILE The private key to use with the client certificate
-A, --ca-cert-file=FILE The CA certificate to use for PKI
-s, --ssl-logging=OPTIONS SSL Logging Options
-b, --bind=IPADDR Local address to bind to
-f, --config-file=FILE Configuration file to use
-g, --log-file=FILE Log file to write to
-p, --port=PORT The port on which the daemon is running (default=5666)
-c, --command=COMMAND The name of the command that the remote daemon should run
-a, --args=LIST Optional arguments that should be passed to the command,
separated by a space. If provided, this must be the last
option supplied on the command line.
-e Enable syslog debug messages.

NEW TIMEOUT SYNTAX
-t, --timeout=INTERVAL:STATE
INTERVAL Number of seconds before connection times out (default=10)
STATE Check state to exit with in the event of a timeout (default=CRITICAL)
Timeout STATE must be a valid state name (case-insensitive) or integer:
(OK, WARNING, CRITICAL, UNKNOWN) or integer (0-3)

Note:
This plugin requires that you have the NRPE daemon running on the remote host.
You must also have configured the daemon to associate a specific plugin command
with the [command] option you are specifying here. Upon receipt of the
[command] argument, the NRPE daemon will run the appropriate plugin command and
send the plugin output and return code back to *this* plugin. This allows you
to execute plugins on remote hosts and 'fake' the results to make Nagios think
the plugin is being run locally.

Clearly this is some sort of SSL error when Nagios Core tries to use NRPE which isn't happening when it's called by the command line.

What steps need to be taken to get this working? I have tried the same thing on various Linux machines which come back with the same basic results

[ekapsner]

Hello @dirhea,

I am looking into reproducing this and I have a couple of questions.
- What compiler did you use?
- What SSL headers and libraries did you use?
- What distros are you using?

Thanks,
- Emmett

[dirhea]

I followed exactly the instructions in the PDF guide linked. So the first two will be exactly as the guide states

This is all on Ubuntu 24.04 (even starting with a fresh install for core & even a clean install for a machine to monitor)

[ekapsner]

@dirhea,

The reason I ask is that the guide does not specify which compiler or SSL library to use, but since you are on Ubuntu, it's probably GCC and OpenSSL. Just to verify, will you run the following and let me know what it says.

Code: Select all

dpkg -l | grep libssl-dev
dpkg -l | grep gcc

Also, just to double check, will you run the check command as the nagios user on the Core machine?

Code: Select all

sudo -u nagios /usr/local/nagios/libexec/check_nrpe -H <NRPE address> -c check_load

And the following on the NRPE machine?

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H localhost -c check_load

[dirhea]

Ok, from one of the machines I'm trying to monitor (which is a Debian 12 lxc):

dpkg -l | grep libssl-dev
ii libssl-dev:amd64 3.0.19-1~deb12u2 amd64 Secure Sockets Layer toolkit - development files

dpkg -l | grep gcc
ii gcc 4:12.2.0-3 amd64 GNU C compiler
ii gcc-12 12.2.0-14+deb12u1 amd64 GNU C compiler
ii gcc-12-base:amd64 12.2.0-14+deb12u1 amd64 GCC, the GNU Compiler Collection (base package)
ii libgcc-12-dev:amd64 12.2.0-14+deb12u1 amd64 GCC support library (development files)
ii libgcc-s1:amd64 12.2.0-14+deb12u1 amd64 GCC support library

Then from the machine core is running on:

dpkg -l | grep libssl-dev
ii libssl-dev:amd64 3.0.13-0ubuntu3.9 amd64 Secure Sockets Layer toolkit - development files

dpkg -l | grep gcc
ii gcc 4:13.2.0-7ubuntu1 amd64 GNU C compiler
ii gcc-13 13.3.0-6ubuntu2~24.04.1 amd64 GNU C compiler
ii gcc-13-base:amd64 13.3.0-6ubuntu2~24.04.1 amd64 GCC, the GNU Compiler Collection (base package)
ii gcc-13-x86-64-linux-gnu 13.3.0-6ubuntu2~24.04.1 amd64 GNU C compiler for the x86_64-linux-gnu architecture
ii gcc-14-base:amd64 14.2.0-4ubuntu2~24.04.1 amd64 GCC, the GNU Compiler Collection (base package)
ii gcc-x86-64-linux-gnu 4:13.2.0-7ubuntu1 amd64 GNU C compiler for the amd64 architecture
ii libgcc-13-dev:amd64 13.3.0-6ubuntu2~24.04.1 amd64 GCC support library (development files)
ii libgcc-s1:amd64 14.2.0-4ubuntu2~24.04.1 amd64 GCC support library

If I run
sudo -u nagios /usr/local/nagios/libexec/check_nrpe -H <NRPE address> -c check_load
on the Core machine it returns
CRITICAL - load average per CPU: 0.45, 0.63, 0.64|load1=0.450;0.150;0.300;0; load5=0.630;0.100;0.250;0; load15=0.640;0.050;0.200;0;
(so that's working from the core machine by the looks of it)

and then
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_load
CRITICAL - load average per CPU: 0.20, 0.46, 0.57|load1=0.195;0.150;0.300;0; load5=0.460;0.100;0.250;0; load15=0.575;0.050;0.200;0;

[ekapsner]

Hello @dirhea,

I was able to reproduce the error. The -c flag was likely swapped with -C, which is used to specify a client certificate. Double check your configs and make sure the check commands are defined like the following (with the lowercase c):

Code: Select all

define command {
	command_name check_nrpe
	command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

Let me know if this doesn't fix the error or if you have any other problems with NRPE.
- Emmett