NSClient++ with NAGIOS NRPE and ENCRYPTION - Always fail


#1

Hi guys,

I have big trouble with using SSL and NSClient++. Encryption is required by my company. I searched nearly 99999 Google Pages about this problem and the answer is always “set insecure=true”. Thats not an option for me. Yes, in my details you will see that both hosts are in the same network. This is just another host where I try to set up an encrypted connection. When im able to do this, I will configure it for the external host.

Details: Monitoring-Server (192.168.61.206) Ubuntu 16.04.2 LTS + Nagios 4

NRPE Plugin for Nagios Copyright © 1999-2008 Ethan Galstad ([email protected]) Version: 3.0.1 Last Modified: 09-08-2016

Remote Host (192.168.61.217) Windows Server 2016 NSClient++ 0.5.0062

NSClient++ Config (Registry): (In the windows registry the values dont have the prefix < or the suffix >)

HKLM\Software\NSClient++\settings\default:
allowed hosts <localhost>,<192.168.61.206>
password <password>

HKLM\Software\NSClient++\settings\log:
filename <nsclient-debug.log>
level <debug>

HKLM\Software\NSClient++\NRPE\server:
address <192.168.61.217>
allowed ciphers <ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH>
ca <C:\Program Files\NSClient++\security\MyRootCA.pem>
certificate <C:\Program Files\NSClient++\security\MyClient1.pem>
certificate key <C:\Program Files\NSClient++\security\MyClient1.key>
insecure <false>
port <5666>
ssl options <no-sslv2,no-sslv3>
use SSL <true>
verify mode <peer-client>
allow arguments <true>

With the logfile I can prove, that the certificates are loaded. Certificates are created on the monitoring server with openSSL.

Full debug log of NSClient++ start:

2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:328: On crash: restart: nscp
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:340: Archiving crash dumps in: C:\Program Files\NSClient++/crash-dumps
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:405: booting::loading plugins
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: CheckDisk
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: CheckEventLog
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: CheckExternalScripts
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: CheckHelpers
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: CheckNSCP
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: CheckSystem
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: NRPEServer
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:173: Found: NSClientServer
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\CheckDisk.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\CheckDisk.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\CheckEventLog.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\CheckEventLog.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\CheckExternalScripts.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\CheckExternalScripts.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\CheckHelpers.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\CheckHelpers.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\CheckNSCP.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\CheckNSCP.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\CheckSystem.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\CheckSystem.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\NRPEServer.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\NRPEServer.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:777: C:\Program Files\NSClient++/modules\NSClientServer.dll.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:779: adding C:\Program Files\NSClient++/modules\NSClientServer.dll
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: CheckDisk
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: CheckEventLog
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: CheckExternalScripts
2017-04-06 15:46:12: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:130: No aliases found (adding default)
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: CheckHelpers
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: CheckNSCP
2017-04-06 15:46:12: debug:c:\source\master\modules\CheckNSCP\CheckNSCP.cpp:55: Crash folder is: C:\Program Files\NSClient++/crash-dumps
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: CheckSystem
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: NRPEServer
2017-04-06 15:46:12: debug:c:\source\master\modules\NRPEServer\NRPEServer.cpp:128: Allowed hosts definition: 127.0.0.1(255.255.255.255), 192.168.61.206(255.255.255.255)
2017-04-06 15:46:12: debug:c:\source\master\modules\NRPEServer\NRPEServer.cpp:129: Server config: address: :5666, ssl enabled: peer-cert, cert: C:\Program Files\NSClient++/security/MyClient1.pem (PEM), C:\Program Files\NSClient++/security/MyClient1.key, dh: C:\Program Files\NSClient++/security/nrpe_dh_512.pem, ciphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH, ca: C:\Program Files\NSClient++/security/MyRootCA.pem, options: 
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:92: Binding to: [::]:5666(ipv6)
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:195: Attempting to bind to: [::]:5666(ipv6)
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:88: Binding to: 0.0.0.0:5666(ipv4), reopen: true, reuse: true
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:195: Attempting to bind to: 0.0.0.0:5666(ipv4)
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:738: Loading plugin: NSClientServer
2017-04-06 15:46:12: debug:c:\source\master\modules\NSClientServer\NSClientServer.cpp:88: Allowed hosts definition: 127.0.0.1(255.255.255.255),  192.168.61.206(255.255.255.255)
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:92: Binding to: [::]:12489(ipv6)
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:195: Attempting to bind to: [::]:12489(ipv6)
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:88: Binding to: 0.0.0.0:12489(ipv4), reopen: true, reuse: true
2017-04-06 15:46:12: debug:c:\source\master\include\socket/server.hpp:195: Attempting to bind to: 0.0.0.0:12489(ipv4)
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:503: NSClient++ - 0.5.0.62 2016-09-14 Started!
2017-04-06 15:46:12: debug:c:\source\master\service\NSClient++.cpp:1385: Starting: DONE

Problem: Everytime I use the Nagios NRPE Plugin the following error showes up: /usr/local/nagios/libexec# ./check_nrpe -H 192.168.61.217 CHECK_NRPE: Error - Could not complete SSL handshake with 192.168.61.217: 1

The same error appears when I use the option -C -K -A even with -S and choose a TLS-Version

On the remote host, the debug log shows the following: 2017-04-07 10:36:54: debug:c:\source\master\include\nrpe/server/protocol.hpp:72: Accepting connection from: 192.168.61.206, count=1 2017-04-07 10:36:54: error:c:\source\master\include\socket/connection.hpp:257: Failed to establish secure connection: sslv3 alert handshake failure: 1040

The debug log shows always that “sslv3 alert”, even if I use the -S parameter to force TLSv1+. NSClient also doesnt allow sslv3. When I remove the “no-sslv3” option, the same failure appears. Yes I restarted the NSClient++ service on the remote host, after the cfg changes.

In my opinion all settings are correct. I got certificates created from the monitoring host. 1x client certificate for the monitoring host 1x client key for the monitoring host 1x client certificate for the remote host 1x client key for the remote host 1x ca certificate

The monitoring host is allowed to connect, sslv3 is disabled, but always used.

Hopefully someone can help me.

Kind regards Matze


#2

Wow… I found it… hell that is was random.

NSClient Registry config, there is the default value: DH = nrpe_dh_512.pem The .pem-File was default in the security folder.

In another post i saw, that the value is empty in the nsclient.cfg… So I deleted the default value…

Now it works :slight_smile: