The new openssl package on the latest versions of Centos / RHEL/ Ubuntu / Debian cause compatibility issues that cause the check_nrpe plugin to fail when checking Windows Hosts running NSClient++.
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with xxx.xxx.xxx.xxx: 1
Failed to establish secure connection: sslv3 alert handshake failure: 1040
To fix this, do the following:
1. Generate DH key on the new Nagios server. (It will take a long time to generate so be patient)
For OpenSSL >= 3.0
openssl dhparam 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
For OpenSSL < 3.0
openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
The below is an example of the output:
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAsT8ZYluOSVjB67zI8HXRzAjVRsBGLktGbUm7Zfhtn5dYTMaEjSRx
+7McBGnmoJa9ty54UE/5/8rM1CFvA5VyEOakZHemTNvAofB40ZmEhgANVmbHZxtr
egvj4svxnvFM4gAfpsSe2C8DVbXXEJlUVfyacbfb4f9ko0l62XsTEQJGWGRxXca7
b66g5MY6eYxihavufmZmZPw4ZnBPEpoGpH2GKZ0obOEfACTrV01p+CbiVDJ9lpc7
KOxbXA+3nV5LRMSjlz83RuDdQ3QLcQQQ7cpWKEzAlHO/AO4BRqthmSBkTVWNeHoO
a4PNgZO2xdnLHJuK75YQJeLAOKI9xVgaCwIBAg==
-----END DH PARAMETERS-----
2. Paste the DH key to a new file "nrpe_dh_2048.pem" on the Windows server in the following location:
C:\Program Files\NSClient++\security\nrpe_dh_2048.pem
3. Open a command prompt in Windows (under user with admin privileges) and run these commands:
cd "\Program Files\NSClient++"
nscp settings --path /settings/NRPE/server --key dh --set "${certificate-path}/nrpe_dh_2048.pem"
Or add the below under the [/settings/NRPE/server] section in the C:\Program Files\NSClient++\nsclient.ini file:
; DH KEY -
dh = ${certificate-path}/nrpe_dh_2048.pem
4. Restart NSClient++ service
net stop nscp && net start nscp
Test it:
/usr/local/nagios/libexec/check_nrpe -H xxx.xxx.xxx.xxx -2
I (0.5.0.62 2016-09-14) seem to be doing fine...
Article ID: 901
Created On: Fri, Apr 30, 2021 at 9:31 AM
Last Updated On: Sat, Oct 21, 2023 at 10:45 AM
Authored by: rspielman
Online URL: https://support.nagios.com/kb/article/openssl-causes-issue-with-check_nrpe-plugin-with-nsclient-901.html