NSClient++ version 0.4.3.143 on Linux - nrpe SSL handshake failed


#1

I am trying to setup NSClient++ on a Nagios Server (running RHEL 6.5). I installed NSClient++ 0.4.3.143 by referring to this article -

. The setup was successful.

I want to setup SSL communication between the Nagios server (running the NSClient++ that I installed) and my monitored Windows host, also running NSClient++ version 0.4.4.19. I referred to this blog for securing the NRPE communication - https://web.archive.org/web/20130120204010/http://blog.medin.name/2012/12/02/securing-nrpe-with-certificate-based-authentication/

I have been able to complete all the steps in this blog upto the section “Enabling Trust”. However, I am running into an error when trying to complete the steps described in the section “Better trust” -

On the nagios server I run the command:

# nscp nrpe host=127.0.0.1 allowed-ciphers=ALL ca=/usr/share/nsclient/security/ca.pem certificate=/usr/share/nsclient/security/client_cert.pem certificate-key=/usr/share/nsclient/security/client_key.pem
E       nrpe SSL handshake failed: asio.ssl error
                    /source/nscp/include/socket/client.hpp:193
Error: Failed to connect to: 127.0.0.1:5666 :asio.ssl error

Here are the log messages related to the error:

2016-07-19 04:46:38: error:/source/nscp/include/socket/connection.hpp:243: Failed to establish secure connection: asio.ssl error: 1
2016-07-19 04:46:38: error:/source/nscp/include/socket/client.hpp:193: SSL handshake failed: End of file

Here is the nsclient.ini settings on my Nagios server:

[/paths]

module-path = /usr/lib/nsclient/modules/
shared-path = /usr/share/nsclient/
log-path = /var/log/nsclient


[/settings/log]

file name = ${log-path}/nsclient.log
date format = %Y-%m-%d %H:%M:%S
level = debug

[/settings/log/file]

max size = 0

[/settings/crash]

submit url = https://crash.nsclient.org/post
submit = false
archive = true
restart = true
archive folder = ${shared-path}/crash-dumps
restart target = NSCP

[/modules]

CheckSystemUnix = enabled
NRPEServer = enabled

[/settings/NRPE/server]

allow nasty characters = true
insecure = false
extended response = true
port = 5666
use ssl = true

[/includes]


[/settings/shared session]

enabled = false

[/settings/default]

allowed hosts = 127.0.0.1,16.236.165.67
allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
certificate = /usr/share/nsclient/security/client_cert.pem
certificate key = /usr/share/nsclient/security/client_key.pem
ca = /usr/share/nsclient/security/ca.pem
verify mode = peer-cert

The CA cert has been generated on the Linux Nagios server, and both the Nagios server and the Windows Host are using this CA. Can someone help me with this issue?

Thanks, Vivek


#2

are you using nsclient++ on both side?


#3

Yes, using nsclient++ on both sides. I installed NSCP-0.4.3.143-1.el6.x86_64.rpm on the Nagios Server (RHEL 6). The Windows client is running nsclient++ 4.4.19. I will upload the details of how I did the installs on both ends.


#4

I have uploaded the following 2 docs to this google drive location: https://drive.google.com/folderview?id=0B2Lq6w1lB_k5VW9MTVhKUHAtNVE&usp=sharing

  1. NSClient++ installation on Windows : Describes how I installed NSClient++ on my Windows system and setup monitoring from my Nagios Server (RHEL 6) using NRPE

  2. NSClient++ install on Nagios Server: Describes how I installed NSClient++ on my Nagios server (RHEL 6) and attempted to follow the directions at this link: https://web.archive.org/web/20130120204010/http://blog.medin.name/2012/12/02/securing-nrpe-with-certificate-based-authentication

The 2nd doc (NSClient setup on Nagios server) is where I am running into issues


#5

Just curious (quite late to the game) if you got any further and have this working.