Problem with SSL to supervise windows host


#1

Hello,

I have a problem to supervise a windows host.

My poller server is a CentOS 7 and my client is a windows server 2012. My version of NSClient++ is 0.5.1.44 on my windows server and 2.15 for NRPE on my poller server. I think I have a problem with SSL but I can’t solve it. Below are the commands with their results and the contents of the log on the client:

[details=Test results]# In nsclient.ini, with insecure = true

On the poller server :

Command : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client I (0.5.1.44 2017-08-30) seem to be doing fine… [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 […] ‘count’=36;0;0 In nsclient.log : RAS

Command : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c proc CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. In nsclient.log : 2017-10-02 15:47:13: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol 2017-10-02 15:47:13: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.

Command : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read In nsclient.log : 2017-10-02 15:48:08: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-02 15:48:08: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

On the client :

Command : C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 Error: Failed to connect to: 127.0.0.1:5666 :short read C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 Error: Failed to connect to: 127.0.0.1:5666 :short read -n C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read In nsclient.log : 2017-10-02 15:55:59: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-02 15:55:59: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

In nsclient.ini, with insecure = false

On the poller server :

Command : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c proc CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. In nsclient.log : 2017-10-02 15:02:09: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol 2017-10-02 15:02:09: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.

Command : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client CHECK_NRPE: Error - Could not complete SSL handshake. [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c proc CHECK_NRPE: Error - Could not complete SSL handshake. [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process CHECK_NRPE: Error - Could not complete SSL handshake. In nsclient.log : 2017-10-02 15:18:03: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-02 15:18:03: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

On the client :

Command : C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 I (0.5.1.44 2017-08-30) seem to be doing fine… C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n I (0.5.1.44 2017-08-30) seem to be doing fine… C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c proc OK: Number of current processes running: 41|‘count’=41;150;200 C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc OK: Number of current processes running: 41|‘count’=41;150;200 C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 […] C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 […] In nsclient.log : RAS[/details]

NRPE installation on the poller server :

[details=NRPE installation]yum -y install nrpe nagios-plugins-procs systemctl enable nrpe[/details]

NRPE Configuration on the poller server :

[details=nrpe.conf]- LOG FACILITY log_facility=daemon

  • PID FILE pid_file=/var/run/nrpe/nrpe.pid

  • PORT NUMBER server_port=5666

  • NRPE USER nrpe_user=nrpe

  • NRPE GROUP nrpe_group=nrpe

  • ALLOWED HOST ADDRESSES allowed_hosts=IP_range_for_clients,127.0.0.1,IP_central_server

  • SECURITY ISSUES IF OTHER VALUES THAN 0

  • COMMAND ARGUMENT PROCESSING dont_blame_nrpe=0

  • BASH COMMAND SUBTITUTION allow_bash_command_substitution=0

  • DEBUGGING OPTION

  • Values: 0=debugging off, 1=debugging on debug=0

  • COMMAND TIMEOUT

  • This specifies the maximum number of seconds that the NRPE daemon will

  • allow plugins to finish executing before killing them off. command_timeout=60

  • CONNECTION TIMEOUT connection_timeout=300

  • INCLUDE CONFIG FILE

  • This directive allows you to include definitions from an external config file. -include=<somefile.cfg>

  • COMMAND DEFINITIONS

  • command[<command_name>]=<command_line> command[dummycheck0]=/oper/nagios/libexec/check_dummy 0 "Dummycheck performed with status 0" command[dummycheck1]=/oper/nagios/libexec/check_dummy 1 "Dummycheck performed with status 1" command[dummycheck2]=/oper/nagios/libexec/check_dummy 2 "Dummycheck performed with status 2" command[dummycheck3]=/oper/nagios/libexec/check_dummy 3 “Dummycheck performed with status 3”

  • INCLUDE CONFIG DIRECTORY

  • This directive allows you to include definitions from config files (with a

  • .cfg extension) in one or more directories (with recursion).

include_dir=/etc/nrpe.d/[/details]

NSClient installation on the client :

NSClient installation

msiexec /qn /passive /norestart /l* install.log /i %AGENT_File% INSTALLLOCATION="%ProgramFiles%\NSClient++" CONF_NRPE=1 CONF_NSCLIENT=0 CONF_NSCA=0 CONF_SCHEDULER=0 CONF_WEB=0 CONF_WMI=0 CONF_CHECKS=1 CONF_WMI=0 NRPEMODE=LEGACY CONF_CAN_CHANGE=0 ADD_DEFAULTS=0 ALLOWED_HOSTS=“127.0.0.1” NSCLIENT_PWD="" MAIN_CONFIGURATION_FILE=nsclient.ini SHOW_START_ON_EXIT=0 START_SERVICE_ON_EXIT=1 SHOW_DONATE_ON_EXIT=0 DONATE_ON_EXIT=0 REMOVE=“Documentation,DotNetPluginSupport,ExtraClientPlugin,LuaScript,NSCAPlugin,NSCPlugins,PythonScript,SampleConfig,SampleScripts,Shortcuts,WEBPlugins” ADDLOCAL=“CheckPlugins,FirewallConfig,NRPEPlugins”

NSClient configuration on the client :

[details=nsclient.ini]; If you want to fill this file with all available options run the following command: ; nscp settings --generate --add-defaults --load-all ; If you want to activate a module and bring in all its options use: ; nscp settings --activate-module --add-defaults ; For details run: nscp settings --help

; in flight - TODO [/settings/default]

; Undocumented key password = password

; ALLOWED HOSTS - A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. allowed hosts = 127.0.0.1,IP_central_server,IP_poller_server

; CACHE ALLOWED HOSTS - If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server. cache allowed hosts = yes

; TIMEOUT - Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out. timeout = 30

; in flight - TODO [/settings/NRPE/server]

; Undocumented key verify mode = none

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled. ;;; use ssl = false

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client. insecure = false

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><’"[]{}) characters in arguments. allow nasty characters = true

; EXTENDED RESPONSE - Send more then 1 return packet to allow response to go beyond payload size (requires modified client if legacy is true this defaults to false). extended response = true

; PORT NUMBER - Port to use for NRPE. port = 5666

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed. allow arguments = true

; in flight - TODO [/modules]

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests. NRPEServer = true

; NRPEClient - NRPE client can be used both from command line and from queries to check remote systes via NRPE as well as configure the NRPE server NRPEClient = true

; CheckNet - Network related check such as check_ping. CheckNet = false

; CheckWMI - Check status via WMI CheckWMI = false

; CheckExternalScripts - Module used to execute external scripts CheckExternalScripts = true

; CheckHelpers - Various helper function to extend other checks. CheckHelpers = false

; CheckLogFile - File for checking log files and various other forms of updating text files CheckLogFile = false

; CheckEventLog - Check for errors and warnings in the event log. CheckEventLog = false

; CheckNSCP - Use this module to check the healt and status of NSClient++ it self CheckNSCP = false

; CheckDisk - CheckDisk can check various file and disk related things. CheckDisk = true

; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters. CheckSystem = true

; External scripts - A list of scripts available to run from the CheckExternalScripts module. Syntax is: command=script arguments [/settings/external scripts/scripts]

cpu=scripts\toto_cpu_win.bat net_tra=scripts\toto_nettra_win.bat net_err=scripts\toto_neterr_win.bat net_tcp=scripts\toto_nettcp_win.bat proc=scripts\toto_proc_win.bat disk_io=scripts\toto_io_win.bat load=scripts\toto_load_win.bat drives=scripts\toto_disk_win.bat mem=scripts\toto_mem_win.bat

; External script settings - General settings for the external scripts module (CheckExternalScripts). [/settings/external scripts]

; Command timeout - The maximum time in seconds that a command can execute. (if more then this execution will be aborted). NOTICE this only affects external commands not internal ones. timeout = 30

; Load all scripts in a given folder - Load all scripts in a given directory and use them as commands. ;;; script path = C:\Program Files\NSClient++\scripts

; Allow certain potentially dangerous characters in arguments - This option determines whether or not the we will allow clients to specify nasty (as in |`&><’"[]{}) characters in arguments. allow nasty characters = false

; Allow arguments when executing external scripts - This option determines whether or not the we will allow clients to specify arguments to commands that are executed. allow arguments = true

; COUNTER - Definition for counter: ProcUsedTot [/settings/system/windows/counters/ProcUsedTot] collection strategy=rrd type=large counter=\Processor(_total)% Processor Time

; LOG SECTION - Configure log file properties. [/settings/log/file]

; MAXIMUM FILE SIZE - When file size reaches this it will be truncated to 50% if set to 0 (default) truncation will be disabled max size = 0

; LOG SECTION - Configure log properties. [/settings/log]

; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve. date format = %Y-%m-%d %H:%M:%S

; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace level = info

; FILENAME - The file to write log data to. Set this to none to disable log to file. ;;; file name = nsclient.log[/details]

I don’t understand why with insecure = true, the command “check_nrpe -p 5666 -H IP_client -c check_process” works on the poller server but not this command “check_nrpe -p 5666 -H IP_client -c proc”, it’s just an external script. And I don’t understand why with insecure = true, the command “check_nrpe -p 5666 -H IP_client -c check_process” works on the poller server but not works on the client.

With “use ssl = false”, command “check_nrpe -p 5666 -H IP_client -c check_process” doesn’t works on the poller server but with n option it works and command “check_nrpe -p 5666 -H IP_client -c proc” doesn’t works on the poller server with or without n option. For this last, it’s a timeout : CHECK_NRPE: Socket timeout after 10 seconds. In the nsclient.log, I have : 2017-10-03 11:05:31: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

With “use ssl = true”, command “check_nrpe -p 5666 -H IP_client -c check_process” works on the poller server but with n option it doesn’t works and command “check_nrpe -p 5666 -H IP_client -c proc” doesn’t works on the poller server with or without n option.

I don’t understand why with insecure = false, the command “check_nrpe -H 127.0.0.1 -c check_process” and the command “check_nrpe -H 127.0.0.1 -c proc” work on the client but not on the poller server. The logs are different if I use the -n option or not on the poller server.

With “use ssl = false”, command “check_nrpe -p 5666 -H IP_client -c check_process” doesn’t works on the poller server but with n option it works and command “check_nrpe -p 5666 -H IP_client -c proc” doesn’t works on the poller server with or without n option.

With “use ssl = true”, command “check_nrpe -p 5666 -H IP_client -c check_process” dosen’t works on the poller server with and without n option and command “check_nrpe -p 5666 -H IP_client -c proc” doesn’t works on the poller server with or without n option.

I don’t understand really how use and configure ssl and insecure. Can you help me please ? Ask me if you need more information.

Thank you in advance for your help. Julien

ps:sorry for mistakes, english isn’t my natal language


#2

Hello,

New tests below :

With use ssl = false and insecure = false in nsclient.ini.

[details=use ssl = false and insecure = false][[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ’ […] ‘count’=37;0;0 2017-10-03 15:41:28: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c proc CHECK_NRPE: Socket timeout after 10 seconds. 2017-10-03 15:17:38: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-03 15:17:38: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:605: Command line: scripts\toto_proc_win.bat 2017-10-03 15:17:38: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:18:08: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file 2017-10-03 15:18:08: error:c:\source\master\include\socket/connection.hpp:139: Socket was unexpectedly closed trying to send data (possibly check your timeout settings)

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process CHECK_NRPE: Socket timeout after 10 seconds. 2017-10-03 15:42:27: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-03 15:42:37: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c proc CHECK_NRPE: Socket timeout after 10 seconds. 2017-10-03 15:42:27: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-03 15:42:37: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:21:08: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:21:38: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:48:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:48:41: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:21:08: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:21:38: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:46:39: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:47:09: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file[/details]

With use ssl = false and insecure = true in nsclient.ini.

[details=use ssl = false and insecure = true][[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ’ […] ‘count’=37;0;0 2017-10-03 15:41:28: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c proc CHECK_NRPE: Socket timeout after 10 seconds. 2017-10-03 15:53:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-03 15:53:11: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:605: Command line: scripts\toto_proc_win.bat 2017-10-03 15:53:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:53:41: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file 2017-10-03 15:53:41: error:c:\source\master\include\socket/connection.hpp:139: Socket was unexpectedly closed trying to send data (possibly check your timeout settings)

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process CHECK_NRPE: Socket timeout after 10 seconds. 2017-10-03 15:42:27: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-03 15:42:37: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c proc CHECK_NRPE: Socket timeout after 10 seconds. 2017-10-03 15:42:27: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-03 15:42:37: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:21:08: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:21:38: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:48:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:48:41: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:21:08: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:21:38: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-03 15:46:39: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-03 15:47:09: error:c:\source\master\include\socket/connection.hpp:168: Failed to read data: End of file[/details]

With use ssl = true and insecure = false in nsclient.ini.

[details=use ssl = true and insecure = false][[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. 2017-10-04 08:36:57: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 08:36:57: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol 2017-10-04 08:36:57: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c proc CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. 2017-10-04 08:40:21: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 08:40:21: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol 2017-10-04 08:40:21: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process CHECK_NRPE: Error - Could not complete SSL handshake. 2017-10-04 08:38:29: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 08:38:29: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 08:38:29: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c proc CHECK_NRPE: Error - Could not complete SSL handshake. 2017-10-04 08:42:17: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 08:42:17: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 08:42:17: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ’ […] ‘count’=37;0;0 2017-10-04 08:47:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc OK: Number of current processes running: 40|‘count’=40;150;200 2017-10-04 08:49:41: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 08:49:41: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:605: Command line: scripts\toto_proc_win.bat 2017-10-04 08:49:41: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ’ […] ‘count’=37;0;0 2017-10-04 08:47:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c proc OK: Number of current processes running: 40|‘count’=40;150;200 2017-10-04 08:53:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 08:53:11: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:605: Command line: scripts\toto_proc_win.bat 2017-10-04 08:53:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1[/details]

With use ssl = true and insecure = true in nsclient.ini.

[details=use ssl = true and insecure = true][[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. 2017-10-04 08:36:57: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 08:36:57: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol 2017-10-04 08:36:57: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c proc CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. 2017-10-04 08:40:21: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 08:40:21: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol 2017-10-04 08:40:21: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ’ […] ‘count’=37;0;0 2017-10-04 09:02:48: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1

[[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-04 09:08:31: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 09:08:31: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:605: Command line: scripts\toto_proc_win.bat 2017-10-04 09:08:31: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 09:08:31: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 09:08:31: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-04 09:10:26: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-04 09:10:26: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-04 09:10:26: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-04 09:10:26: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.[/details]

Summary :

[details=Summary]## Commandes that operate remotely : With use ssl = false and insecure = false in nsclient.ini : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process

With use ssl = false and insecure = true in nsclient.ini : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -n -c check_process

With use ssl = true and insecure = false in nsclient.ini : RAS

With use ssl = true and insecure = true in nsclient.ini : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process

Commands that work locally

With use ssl = false and insecure = false in nsclient.ini : RAS

With use ssl = false and insecure = true in nsclient.ini : RAS

With use ssl = true and insecure = false in nsclient.ini : C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c check_process C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -n -c proc C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c proc

With use ssl = true and insecure = true in nsclient.ini : RAS[/details]

Goals :

I would use SSL so I think that my nsclient.ini should contain use ssl = true and insecure = true or false.

With insecure = true : On the poller server, at remote, the command to check the module works : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ’ […] ‘count’=37;0;0 2017-10-04 09:02:48: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1

But the command to check the external script doesn’t works : [[email protected] ~]# /usr/lib/nagios/plugins/check_nrpe -p 5666 -H IP_client -c proc Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-04 09:08:31: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 09:08:31: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:605: Command line: scripts\toto_proc_win.bat 2017-10-04 09:08:31: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 09:08:31: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 09:08:31: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

On the client, in local, the commands for check module and external script don’t work, I have this errors : Error: Failed to connect to: 127.0.0.1:5666 :short read 2017-10-04 09:10:26: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 09:10:26: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

With insecure = false : On the poller server, at remote, the commands for check module and external script don’t work, I have this errors : CHECK_NRPE: Error - Could not complete SSL handshake. 2017-10-04 08:38:29: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: IP_poller, count=1 2017-10-04 08:38:29: error:c:\source\master\include\socket/connection.hpp:270: Seems we cant agree on SSL: no shared cipher 2017-10-04 08:38:29: error:c:\source\master\include\socket/connection.hpp:271: Please review the insecure options as well as ssl options in settings.

On the client, in local, the commands for check module and external script works very good : C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c check_process OK: all processes are ok.|‘wininit.exe state’=1;0;0 ‘winlogon.exe state’=1;0;0 ‘lsass.exe state’=1;0;0 ‘svchost.exe state’=1;0;0 ’ […] ‘count’=37;0;0 2017-10-04 08:47:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1

C:\Program Files\NSClient++>check_nrpe -H 127.0.0.1 -c proc OK: Number of current processes running: 40|‘count’=40;150;200 2017-10-04 08:53:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1 2017-10-04 08:53:11: debug:c:\source\master\modules\CheckExternalScripts\CheckExternalScripts.cpp:605: Command line: scripts\toto_proc_win.bat 2017-10-04 08:53:11: debug:c:\source\master\include\nrpe/server/protocol.hpp:92: Accepting connection from: 127.0.0.1, count=1

I am looking for but I do not understand why… Can you help me please ?

My installation or my configuration aren’t good ?


#3

Hello,

My problem is resolved.

It was in my configuration file nsclient.ini.

I added the line “allowed ciphers = ALL” with “verify mode = none”, “use ssl = true” and “insecure = false”.

Now, my commands work localy and remotely.

Julien