Nagios - Could not complete SSL handshake
I'm trying to configure Nagios command for checking status of physical memory on a remote Windows host using NRPE plugin. I'm using Nagios v3.0.6 on Ubuntu Server v14.10, and latest stable version of NSClient++ 0.4.3. Here are the snippets from the config files:
define command {
command_name check_ph_mem
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckMEM -a MaxWarn=$ARG1$% MaxCrit=$ARG2$% ShowAl$
}
and
define service{
host_name remote-win-host
service_description Check Memory NRPE
check_command check_ph_mem
use generic-service
}
Nagios could not retrieve any information from this command because when I execute
/usr/lib/nagios/plugins/check_nrpe -H 192.168.1.150
it gives back following error:
CHECK_NRPE: Error - Could not complete SSL handshake.
I've tried with reconfiguring part of C:\Program Files\NSClient++\nsclient.ini
in following way:
[/settings/NRPE/server]
allow arguments = true
allowed hosts = 192.168.1.15
port = 5666
but it gives back the same error. I've already read dozens similar topics and tried different advices, but I still have the same issue.
Do you have any idea how to fix this?
Solution 1:
If you are using NSCP-0.4.3.x (rather then NSCP-0.4.2.x) on your Windows Host, then certificate based authentication became the default authentication method. That´s why your check isn´t working. To work around the issue you need to add the following to your config:
[/settings/NRPE/server]
insecure = true
After that you need to restart the NSClient++ Service. More infos can be found here (6.1 What is insecure mode)
Solution 2:
In my case I had to add under:
; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
the next two lines:
insecure = true
allow arguments = true
and change under:
; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket
from
verify mode = peer-cert
to
verify mode = none
Solution 3:
Using NSClient++ 0.5.2.39 and check_nrpe 3.2.1, here's what worked for me:
-
Generate DH key on Linux machine (it takes a long time)
openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
Paste your DH key to newly created file
C:\Program Files\NSClient++\security\nrpe_dh_2048.pem
-
Edit
C:\Program Files\NSClient++\nsclient.ini
:[/settings/NRPE/server] dh = ${certificate-path}/nrpe_dh_2048.pem
Restart NSClient++ service:
net stop nscp && net start nscp
This is based on the wonderful article http://hodza.net/2019/09/21/failed-to-establish-secure-connection-sslv3-alert-handshake-failure-1040/