Nagios check_nrpe authentication state


#1

I need to use certificate based authentication when accessing the NRPE module of an NSClient++ from a Nagios server. I can’t get past an SSL error.

I have since found some posts on different sites saying that certificate authentication does not work between Nagios and NSClient++, instead I need to install a ‘local’ NSClient++ on my nagios monitoring server and check via nagios to NSClient++ to NSClient++. However, these post came from 2013.

Is this accurate and is it still the case?

Footnote: v0.5 says it enables the -A argument on check_nrpe. Does this have an impact?

The error, if it is relevant, is: sslv3 alert handshake failure: 1040 on the nagios Error - could not complete ssl handshake with 10.0.6.19: 1


#2

Nagios has recently (a few months ago) created a new version of check_nrpe which suposedly supports real certificates. But I have not tried this myself. With the “Old” regular check_nrpe you cannot use certificates and thus require nsclient++ on both sides…


#3

Hi Jim

Have you ever found a way to get it working? I’m having the same error, and can’t find what I’m doing wrong.

I’m following this guide: https://web.archive.org/web/20130120204010/http://blog.medin.name/2012/12/02/securing-nrpe-with-certificate-based-authentication/

I’m running nsclient++ on windows server, and installed our Active Directory CA certificate + certificates signed for the windows server in the security/ directory. If I run nscp test on the windows server itself with following command, it’s successful.

nscp nrpe --host 127.0.0.1 --ca security\ca.pem --verify peer-cert --allowed-ciphers ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH --certificate security\server.pem --certificate-key security\server_key.pem I (0.5.0.62 2016-09-14) seem to be doing fine…

However, if I run it from my nagis host, I always get the error you mentioned. From my command line on the linux host:

./check_nrpe -H x.x.x.x -A …/etc/ssl/ca.pem -C …/etc/ssl/client.pem -K …/etc/ssl/client_key.pem CHECK_NRPE: Error - Could not complete SSL handshake with x.x.x.x: 1

The client.pem is signed by the same Active Directory CA


#4

No, I’m afraid I never found a solution and had to settle for SSL (well, TLS) without authentication


#5

Weird thing: I dropped it for 3 days, and wanted to give more info about my error on the Nagios forums yesterday, and when I ran check_nrpe again, it suddenly worked… Don’t know why. But it does work with encryption AND authentication…

I did finally find a way to use the ssl logging options in check_nrpe on the command line to debug when having issues: if you’re interested in more logs on the ssl connection, append ‘-s 0xff’ to your check_nrpe command. This will give you more debugging info in /var/log/messages . This is actually documented on https://support.nagios.com/kb/article.php?id=515&show_category=22.


#6

Weird. Still, good on you. Any chance that you could post your config file and the check_nrpe call you are making for it to work?


#7

I’ll hop in here as I’m having the same issue. Unfortunately one of the fixes (install NSClient on the monitoring system) won’t work as I’ve been unable to get it to build on SLES.

At any rate we have an MSCA (not using the RSASSA-PSS algorithm as it breaks production things). Using NRPE 3.0.1 I’m able to configure certificates without issue between Nagios 4.1.1 and my *nix machines. I figured that’d be the hard part.

When I configure NSClient (0.4.x through 0.5.0.62) I’m not having any luck. Depending on what I do I either wind up with a seg fault (-s 0xff or 0x2f) or Could not complete SSL handshake with {IPADDR}: 1 on the Linux side and the following error on the Windows Side.

2017-02-21 15:45:52: error:c:\source\master\include\socket/connection.hpp:257: Failed to establish secure connection: tlsv1 alert unknown ca: 1048

The check command follows along with the except from the ini file for NSClient. As I know other pieces of software get picky I tried with an extension of cer and pem on the windows certificates. The Root64 is a root and intermediate and the other certificate is just the certificate and not a full chain.

./check_nrpe -H IPADDRESS -A /opt/certificates/Root64.cer -C /opt/certificates/nag90_nagios.cer -K /opt/certificates/nag90_nagios.key

[/settings/default] allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH ca=security/Root64.pem certificate = security/tst90_nagios.pem certificate key = security/tst90_nagios.key

[/settings/NRPE/server] ; Undocumented key ssl options = no-sslv2,no-sslv3 ; Undocumented key verify mode = peer-cert ; Undocumented key insecure = false


#8

Sadly, for what it’s worth, I didn’t seem to fall under the three day rule.


#9

Of note, if you ignore where the definitions should be at you’ll get different errors. When the definitions are in the proper place I now get

error:c:\source\master\include\socket/connection.hpp:257: Failed to establish secure connection: sslv3 alert handshake failure: 1040

As Jim did in his first post. Shifting the definitions intended for the NRPE Server into the default/server will give either a 1010 or a 1048 error.


#10

So perhaps I’ve read more into things that I should.

NRPE 3.0.1 now includes SSL AND certificate checking. I had made the assumption that this ment it would play nicely with the NSClient configuration AND that it was no longer ‘insecure’. So I proceeded with that assumption in the install and made the attempts to configure the certificates.

From NSCP to NSCP things worked oK and the packet capture indicated that certificates were being passed then traffic was encrypted.

Running the nscp nrpe install --insecure (and disabling verification, restarting services) I can now run checks with encrypted traffic to NSCP from check_nt. In my head I’m not doing an insecure installation and would rather be doing as secure installation as possible.

So, it’s been not yet a year, will NSClient include the ability to perform certificate checks with the Nagios plugin check_nrpe at some point in the future? (Or perhaps I need to work on building NSCP on SLES)


#11

Hi Jim

Sorry for the wait, didn’t realise you replied.

check_nrpe call: ./check_nrpe -H x.x.x.x -A Cacert.pem -C monitoring.pem -K monitoringkey.pem where cacert,pem is the ca certificate, monitoring.pem is the certificate for the server from where the nrpe command is launched, and monitoringkey.pem is the private key of the server from where the command is launched.

Config on the machine that is running the nrpe-server (so the machine that needs monitoring):

[/settings/default]
allowed hosts = x.x.x.x #ipaddress of monitoring server where nrpe command is launched
cache allowed hosts = 1
password = password #I think this isn't used by us because I can't find any commands that use this in our config.
timeout = 90

[/modules]
CheckExternalScripts = 1
CheckNSCP = 1
NRPEServer = 1
CheckSystem = 1
CheckDisk = 1
CheckTaskSched = 1
NSClientServer = 1

[/settings/NRPE/server]
insecure = 0
use ssl = 1
verify mode = peer-cert
allow arguments = 1
;port = 5666
certificate key = C:\Program Files\NSClient++\security\server_key.pem #=private key of local machine (hosting nrpe server)
certificate = C:\Program Files\NSClient++\security\server.pem  #=certificate of local machine (hosting nrpe server)
ca = C:\Program Files\NSClient++\security\Cacert.pem #=CA certificate
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

[/settings/NSClient/server]
insecure =0
use ssl = 1
verify mode = peer-cert
certificate key = C:\Program Files\NSClient++\security\server_key.pem #=private key of local machine (hosting nrpe server)
certificate = C:\Program Files\NSClient++\security\server.pem  #=certificate of local machine (hosting nrpe server)
ca = C:\Program Files\NSClient++\security\Cacert.pem #=CA certificate
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

performance data = 1
;port = 12489




[/settings/external scripts/wrappings]
bat = scripts\\%SCRIPT% %ARGS%
ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -
vbs = cscript.exe //T:90 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
exe = cmd /c %SCRIPT% %ARGS%

[/settings/external scripts/scripts]
test=scripts\test.bat

#12

I might be missing your point but: What I read is that check_nt can’t be secured (enough), but I did manage to encrypt all check_nrpe traffic between my monitoring server and windows-machine that is monitored. See my reply to Jim earlier today for example config.


#13

I tried your solution, but for me it doesn’t work. Still got the error

error:c:\source\master\include\socket/connection.hpp:257: Failed to establish secure connection: sslv3 alert handshake failure: 1040

When I try nscp on the Windows machine I got an error,too

C:\Program Files\NSClient++>nscp nrpe --host 127.0.0.1 E nrpe SSL handshake failed: short read c:\source\master\include\socket/client.hpp:189 C:\Program Files\NSClient++/nsclient.log could not be opened, Discarding: error: SSL handshake failed: short read Error: Failed to connect to: 127.0.0.1:5666 :short read

My Config looks like this (like your post):

[/settings/NRPE/server]

insecure = 0 use ssl = 1 verify mode = peer-cert allow arguments = 1 certificate key = C:\Program Files\NSClient++\security\client_cert.key certificate = C:\Program Files\NSClient++\security\client_cert.pem ca = C:\Program Files\NSClient++\security\ca_cert.pem allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

When I’m using the NRPE-Command on my Icinga Client for another Linux Host it’s working. I’m using NRPEv3. Any ideas?


#14

If I add this line, it’s working:

dh =


#15

I’d like to sum up everything from the thread, as it might help others to get quicker to a working solution. NRPE 3.0.1 NSClient++ 0.5.0.62

First I run into this error: error:c:\source\master\include\socket/connection.hpp:257: Failed to establish secure connection: tlsv1 alert unknown ca: 1048 and later I got this one: error:c:\source\master\include\socket/connection.hpp:257: Failed to establish secure connection: sslv3 alert handshake failure: 1040

These are the steps to get it working. Follow the instructions from https://support.nagios.com/kb/article.php?id=519 and create the CA, Nagios server certificate and the client certificate: Quick steps:

  1. Create Certificate Authority (ca_cert.pem): openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650
  2. NRPE Client Certificate (client_cert.*): openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes; openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem
  3. check_nrpe Plugin Certificate (Nagios server certificate) (nagios_server.*): openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes; openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem

Copy the created ca_cert.pem, client_cert.pem and client_cert.key to “C:\Program Files\NSClient++\security”

[/settings/NRPE/server]
verify mode = peer-cert
certificate key = C:\Program Files\NSClient++\security\client_cert.key
certificate = C:\Program Files\NSClient++\security\client_cert.pem
ca = C:\Program Files\NSClient++\security\ca_cert.pem
dh =
allow nasty characters = 0
allow arguments = 1
extended response = 1
insecure = 0
use ssl = 1

I don’t know what the parameter dh = is for, but it will not work without setting it. I’m not sure if this as an influence on the encryption and authentication. At least I can see a certificate exchange.

check_nrpe_v3 -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 192.168.1.2


#16

Good summary! The point I quoted is interessting for me too. Maybe someone can explain?


#17

On https://kb.op5.com/pages/viewpage.action?pageId=19073684 I found this information about dh:

As per default encrypted communication with NRPE & NSClient++ is using ADH cipher (Anonymous Diffie Hellman) and a static predefined 512bit DH key. […] dh - Since we’re going to stop using ADH with a static DH key, we simply remove this option.

The static key is ${certificate-path}/nrpe_dh_512.pem