How to secure connection between check_nrpe and NSClient++


#1

Hello guys, I run a ubuntu server with nagios core 4 installed. I’m compiled the check_nrpe plugin with ssl enabled from nrpe 3.0.1 and installed it. The machine i want to monitor runs Windows Server 2012 and nsclient++ v.0.5.0.62. I want to secure the communication between both with either ssl or a ca certificate. I generated the certs as mentioned in the READEME.SSL.md in the nrpe 3.0.1 folder.

I entered the host IP in the settings .ini file, the plain connection works!

This is my nsclient.ini: [/settings/NRPE/server]

insecure = false
use ssl = true 
ssl options = no-sslv2,no-sslv3
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
port = 5666
verify mode = peer-cert
certificate = ${exe-path}\db_server.pem
certificate key = ${exe-path}\db_server.key
ca= ${exe-path}\ca_cert.pem
allow nasty characters = 1
allow arguments = 0 
extended respone = 0

On my nagios machine i’m using this command: ./check_nrpe -H certificate-key=NSCP_Client/NSCP_Client.key certificate=NSCP_Client/NSCP_Client.pem ca=NSCP_Client/ca.pem verify=peer-cert -c check_cpu

I always geht this error: 2017-04-12 10:31:41: debug:c:\source\master\include\nrpe/server/protocol.hpp:72: Accepting connection from: xx.xx.xx.xxx, count=1 2017-04-12 10:31:41: error:c:\source\master\include\socket/connection.hpp:257: Failed to establish secure connection: sslv3 alert handshake failure: 1040

Is there any simple way to secure the connection between the check_nrpe plugin on linux and the nsclient++ on windows?


#2

Is there any difference in the “check_nrpe” plugin that comes with nrpe v3.0.1 and the one coming with nsclient++? I am using the “check_nrpe” from the nrpe install with my nsclient++. Does SSL/Cert. work with this setup? If not what do I need?


#3

I am most interested in learning about this as well, I will keep an eye on this post.


#4

Has any progress been made here? I’m so far unable to compile any version of check_nrpe that works against the current NSClient++ in SSL mode. An old check_nrpe on a very old Ubuntu 10 works fine, but we’re in the midst of upgrading to Naemon on Ubuntu 18, and the incompatibility is a show-stopper. Has anyone gotten any version of check_nrpe, running on a current Ubuntu, to connect using SSL to a current NSClient++ on Windows?

What I’ve been able to do is take the binaries of check_nrpe that I’d compiled for both version 2 and 3.0 on Ubuntu 10, copy them to Ubuntu 18, then compile openssl-0.9.8zh.tar.gz from https://www.openssl.org/source/old/0.9.x/ (they’d been compiled to link to an earlier 0.9.8) with “./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib”, install that, add it through ldconfig, and the old check_nrpe’s work (at least one of them) against various NSClient++ versions up to the present one, as long as the present one has this added under [/settings/NRPE/server]: allowed ciphers=ALL.

This is obviously not the best way to do it, although all our tests are either LAN or through encrypted tunnels, so nrpe’s encryption strength is not a critical concern here. It would be good if someone, somewhere will document the better options for this. If that doc is out there, I spent a day looking and couldn’t find it.