Nagios - Could not complete SSL handshake

ssl nagios nrpe

I'm trying to configure Nagios command for checking status of physical memory on a remote Windows host using NRPE plugin. I'm using Nagios v3.0.6 on Ubuntu Server v14.10, and latest stable version of NSClient++ 0.4.3. Here are the snippets from the config files:

define command {
          command_name check_ph_mem
          command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckMEM -a MaxWarn=$ARG1$% MaxCrit=$ARG2$% ShowAl$
}

and

define service{
        host_name               remote-win-host
        service_description     Check Memory NRPE
        check_command           check_ph_mem
        use                     generic-service
}

Nagios could not retrieve any information from this command because when I execute 

/usr/lib/nagios/plugins/check_nrpe -H  192.168.1.150

it gives back following error:

CHECK_NRPE: Error - Could not complete SSL handshake.

I've tried with reconfiguring part of C:\Program Files\NSClient++\nsclient.ini in following way:

[/settings/NRPE/server]

allow arguments = true

allowed hosts = 192.168.1.15

port = 5666

but it gives back the same error. I've already read dozens similar topics and tried different advices, but I still have the same issue.

Do you have any idea how to fix this?


Solution 1:

If you are using NSCP-0.4.3.x (rather then NSCP-0.4.2.x) on your Windows Host, then certificate based authentication became the default authentication method. That´s why your check isn´t working. To work around the issue you need to add the following to your config:

[/settings/NRPE/server]
insecure = true

After that you need to restart the NSClient++ Service. More infos can be found here (6.1 What is insecure mode)

Solution 2:

In my case I had to add under:

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.

the next two lines:

insecure = true

allow arguments = true

and change under:

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket

from 

verify mode = peer-cert

to

verify mode = none

Solution 3:

Using NSClient++ 0.5.2.39 and check_nrpe 3.2.1, here's what worked for me:

  1. Generate DH key on Linux machine (it takes a long time)

    openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'

  2. Paste your DH key to newly created file C:\Program Files\NSClient++\security\nrpe_dh_2048.pem

  3. Edit C:\Program Files\NSClient++\nsclient.ini:

    [/settings/NRPE/server]
dh = ${certificate-path}/nrpe_dh_2048.pem

  4. Restart NSClient++ service: net stop nscp && net start nscp

This is based on the wonderful article http://hodza.net/2019/09/21/failed-to-establish-secure-connection-sslv3-alert-handshake-failure-1040/

Related

Is it possible to set up a reverse DNS record on AWS for address from a different registrar?
Can a backup mx server be configured to reject email submissions if it can connect to the primary mx?
Can a DNS client distinguish if the answer they received was based on a wildcard record or a specific match?
Why does Chrome complain about "obsolete cryptography"?
Is it possible combine remote results to local a register in Ansible?
How to reset glusterd configuration?
Is "Peering" in networking, always exchanged directly?
NTP: How to establish redundant solution for NTP servers?
During a cutover migration from Exchange 2010 to 365, how to handle desktop clients?
Store GPO Scripts in Netlogon or Policy Folder?
Powershell: Executing Base64 commands returns error?
virsh command that displays the cpu and memory consumption?