Nagios - Could not complete SSL handshake

I'm trying to configure Nagios command for checking status of physical memory on a remote Windows host using NRPE plugin. I'm using Nagios v3.0.6 on Ubuntu Server v14.10, and latest stable version of NSClient++ 0.4.3. Here are the snippets from the config files:

define command {
          command_name check_ph_mem
          command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckMEM -a MaxWarn=$ARG1$% MaxCrit=$ARG2$% ShowAl$
}

and

define service{
        host_name               remote-win-host
        service_description     Check Memory NRPE
        check_command           check_ph_mem
        use                     generic-service
}

Nagios could not retrieve any information from this command because when I execute

/usr/lib/nagios/plugins/check_nrpe -H  192.168.1.150

it gives back following error:

CHECK_NRPE: Error - Could not complete SSL handshake.

I've tried with reconfiguring part of C:\Program Files\NSClient++\nsclient.ini in following way:

[/settings/NRPE/server]

allow arguments = true

allowed hosts = 192.168.1.15

port = 5666 

but it gives back the same error. I've already read dozens similar topics and tried different advices, but I still have the same issue.

Do you have any idea how to fix this?


Solution 1:

If you are using NSCP-0.4.3.x (rather then NSCP-0.4.2.x) on your Windows Host, then certificate based authentication became the default authentication method. That´s why your check isn´t working. To work around the issue you need to add the following to your config:

[/settings/NRPE/server]
insecure = true  

After that you need to restart the NSClient++ Service. More infos can be found here (6.1 What is insecure mode)

Solution 2:

In my case I had to add under:

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.

the next two lines:

insecure = true

allow arguments = true

and change under:

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket

from

verify mode = peer-cert

to

verify mode = none

Solution 3:

Using NSClient++ 0.5.2.39 and check_nrpe 3.2.1, here's what worked for me:

  1. Generate DH key on Linux machine (it takes a long time)

    openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
    
  2. Paste your DH key to newly created file C:\Program Files\NSClient++\security\nrpe_dh_2048.pem

  3. Edit C:\Program Files\NSClient++\nsclient.ini:

    [/settings/NRPE/server]
    dh = ${certificate-path}/nrpe_dh_2048.pem
    
  4. Restart NSClient++ service: net stop nscp && net start nscp

This is based on the wonderful article http://hodza.net/2019/09/21/failed-to-establish-secure-connection-sslv3-alert-handshake-failure-1040/