NRPE SSL Setup peer-cert verification fails


#1

Hello,

I cannot get peer-cert verification to work properly. I have set up two CAs, one for NSCP server side, one for NSCP Client side:

ca_monsrv.crt ca_targetsrv.crt monsrv.crt monsrv.zip targetsrv.csr ca_monsrv.key ca_targetsrv.key monsrv.csr nsclient.log targetsrv.key ca_monsrv.srl ca_targetsrv.srl monsrv.key targetsrv.crt targetsrv.zip

Targetsrv key/cert-pair is to be checked validity against ca_monsrv.crt, and monsrv key/cert-pair is to be checked against ca_targetsrv.crt. I checked dozens of time if done the CAs, certs and keys right, I add the checks at the end.

However, I am unable to verify the certs with option with peer-cert, it only works when I use the same CA on both sides.

These are SSL checks

[[email protected] LAB]# openssl rsa -noout -modulus -in ca_monsrv.key | openssl md5
Enter pass phrase for ca_monsrv.key:
(stdin)= 858d61838eaf3456d015857f97618f4e
[[email protected] LAB]# openssl x509 -noout -modulus -in ca_monsrv.crt | openssl md5
(stdin)= 858d61838eaf3456d015857f97618f4e
[[email protected] LAB]# openssl rsa -noout -modulus -in ca_targetsrv.key | openssl md5
Enter pass phrase for ca_targetsrv.key:
(stdin)= a94882b75ab3b9080e11ce22989e9202
[[email protected] LAB]# openssl x509 -noout -modulus -in ca_targetsrv.crt | openssl md5
(stdin)= a94882b75ab3b9080e11ce22989e9202
[[email protected] LAB]# openssl rsa -noout -modulus -in monsrv.key | openssl md5
(stdin)= c4173570100fdc50e7657ec4b3824a8f
[[email protected] LAB]# openssl x509 -noout -modulus -in monsrv.crt | openssl md5
(stdin)= c4173570100fdc50e7657ec4b3824a8f
[[email protected] LAB]# openssl rsa -noout -modulus -in targetsrv.key | openssl md5
(stdin)= 89d5aa4bb8cdd102615b4bf25bdd6ff4
[[email protected] LAB]# openssl x509 -noout -modulus -in targetsrv.crt | openssl md5
(stdin)= 89d5aa4bb8cdd102615b4bf25bdd6ff4
[[email protected] LAB]# openssl verify -CAfile ca_monsrv.crt targetsrv.crt
targetsrv.crt: OK
[[email protected] LAB]# openssl verify -CAfile ca_targetsrv.crt monsrv.crt
monsrv.crt: OK
[[email protected] LAB]# ls
ca_monsrv.crt  ca_targetsrv.crt  monsrv.crt  monsrv.zip     targetsrv.csr
ca_monsrv.key  ca_targetsrv.key  monsrv.csr  nsclient.log   targetsrv.key
ca_monsrv.srl  ca_targetsrv.srl  monsrv.key  targetsrv.crt  targetsrv.zip
[[email protected] LAB]#

#2

Hi,

can you paste the relevant part of your nsclient++ configuration please.

Regards, Alex


#3

Hello Alex,

here is nsclient.ini:

[/settings/NRPE/server]
certificate = C:\SSL\targetsrv.crt
certificate key = C:\SSL\targetsrv.key
ca = C:\SSL\ca_monsrv.crt
ssl options = no-sslv2,no-sslv3
;verify mode = peer-cert [desired setup]
verify mode = none
insecure = false
[/modules]
NRPEServer = 1
CheckNSCP = 1

This is the check_nrpe command I use on the Monitor’s site;

 check_nrpe ca=ca_targetsrv.crt certificate=monsrv.crt certificate-key=monsrv.key host=<IP>

This is the error message:

nsclient++ wiindows side:

2015-07-06 17:13:21: error:D:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: short read: 219

check_nrpe output:

SSL handshake failed: asio.ssl errorError: Failed to connect to: <IP>:5666 :asio.ssl error[

Many thanks in advance!


#4

Hi, I have the same problem. I use the last stable NSClient++ 4.3.

I try to setup ssl keys using article https://web.archive.org/web/20130120204010/http://blog.medin.name/2012/12/02/securing-nrpe-with-certificate-based-authentication/

I’ve generated ca, and keys for monitored host kriznb-win (vm with Windows7) and checked them:

[[email protected] sslCA]# openssl verify -CAfile cacert.pem certs/kriznb-win.pem 
certs/kriznb-win.pem: OK

Configuration on kriznb-win:

[/settings/NRPE/server]
use ssl = true
allow nasty characters = false
allow arguments = false
insecure = false
extended response = true
[/modules]
NRPEServer = enabled
[/settings/default]
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
certificate = security/kriznb-win.pem
certificate key = security/kriznb-win_key.pem
allowed hosts = 192.168.56.23, 127.0.0.1
cache allowed hosts = true

I have copied certificate, key to kriznb-win. I have copied cacert.pem as ca.pem to nagios server and to kriznb-win.

On kriznb-win, there I checked by:

C:\Program Files\NSClient++>nscp nrpe --host 127.0.0.1
I (0.4.3.143 2015-04-29) seem to be doing fine...

On nagios server I issued:

[[email protected] nsclient]# nscp nrpe --host kriznb-win --ca security/ca.pem --verify peer-cert --allowed-ciphers 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'
E       nrpe SSL handshake failed: asio.ssl error
                    /source/nscp/include/socket/client.hpp:193
Error: Failed to connect to: kriznb-win:5666 :asio.ssl error

In kriznb-win log file there is:

2015-08-13 13:01:34: error:D:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: short read: 219

Thanks in advance for help.

BK


#5

Hello in my case, I have resolved with changing “allowed ciphers”.

Try with SEED-SHA or AES128-AES256 value that is TLS ciphers.


#6

havina a similar problem with nsclient 5.0.62: changeing the allowed ciphers to SEED-SHA gives me a working basic command:

C:\Program Files\NSClient++>nscp nrpe host=localhost insecure I (0.5.0.62 2016-09-14) seem to be doing fine…

installing centos7 binaries getting a “:short read” error ;-( # check_nscp_nrpe host=server allowed-ciphers=SEED-SHA Error: Failed to connect to: server:5666 :short read

[email protected] /etc/icinga2/plugins #  check_nscp_nrpe  host=server

Error: Failed to connect to: server:5666 :short read
[email protected] /etc/icinga2/plugins #

default centos7 check_nrpe (3.1.1) getting: CHECK_NRPE: Error - Could not complete SSL handshake with serverip: 1

tried to do some pki stuff (keys, certs, but dont get any working config ;-( :sweat: :disappointed_relieved:

any ideas for getting better log errors or more input? monitoring client OS: win server 2012 R2 monitoring server: centos7 with icinga2

regards josy