Solved

check_nrpe compatibility with older Linux OS and nrpe clients

  • 18 November 2022
  • 11 replies
  • 80 views

Hello,

When upgrading to centreon 20.10 (from an old 2.4.4), i noticed that check_nrpe (4.0.0) wasn’t compatible with older Linux OS having older nrpe clients.

So i kept using the check_nrpe from the previous centreon and it works well.

Now, i am looking to update to centreon 22.10 but i know i will have the same issue.

The backward compatible options aren’t working.

The error is still “CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake wit <IP>” and here’s the log from a nrpe client 2.15 with debug on :

nrpe[4852]: Connection from 10.5.236.21 port 2742
nrpe[4852]: Host address is in allowed_hosts
nrpe[4852]: Handling the connection...
nrpe[4852]: Error: Could not complete SSL handshake. 1
nrpe[4852]: Connection from ⚌⚌#027q closed

 

Here’s was i have tested so far : (check_nrpe 4.1.0 was compiled from sources)

check_nrpe from versions 4.*, when not working with older nrpe client, were tried with various options as -2, -3 & -L ALL

How are we supposed to monitor old OS with check_nrpe if it isn’t compatible ?

Is the -2 option supposed to work with older nrpe 2.15 clients ?

I’ve seen that nrpe isn’t developped anymore as nagios switched to ncpa. It would mean a lot of works to switch from nrpe to ncpa (but they have clients for the old Linux and Unix OS) and i don’t even know if i can make it work with centreon.

Thanks.

icon

Best answer by omercier 30 November 2022, 13:15

View original

11 replies

Badge +1

Hi,

Try the command with -n parameter.

Options:
-n = Do no use SSL

 

Hello,

Altough not mentionned, i tried it, it failed with a different error.

Userlevel 3
Badge +11

Hi @Shadok,

If I remember correctly NRPE v2 server had a static payload size, hard-coded at the compilation time, and it would  not work if the client does not have the same payload size. Depending on the client you are using, it can be specified in the command-line.

I suggest you try this:

yum install centreon-plugin-Applications-Protocol-Nrpe.noarch

/usr/lib/centreon/plugins/centreon_protocol_nrpe.pl --plugin=apps::protocols::nrpe::plugin --custommode nrpe --mode query --nrpe-version 2 --nrpe-port 5666 --nrpe-payload <payload>

Replacing <payload> with 512, 1024, ... until you find the right value for your build of the NRPE server.

Thanks for the reply @omercier .

I checked the nrpe 2.15 package source to be sure of the payload value and it’s 1024 (MAX_PACKETBUFFER_LENGTH in include/common.h), but it doesn’t help :

# ./check_nrpe_4.1 -2 -P 1024 -H 10.242.226.62 -c check_disk -a 400 300 /
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.242.226.62: 1

Same issue with check_nrpe 4.0, provided with centreon 20.10.

Forcing any ssl version with -S wasn’t helpful either.

Userlevel 3
Badge +11

And have your tried with -n option and the payload at the same time?

No, since i’m not supposed to use nrpe without ssl or tls but i’ll give it a try tomorrow.

If this is the only working option, i may not have the choice.

Well, at least it’s consistent in not wanting to work :

# ./check_nrpe -2 -P 1024 -n -H 10.242.226.62 -c check_disk -a 400 300 /
CHECK_NRPE: Receive header underflow - only -1 bytes received (4 expected).

The strange thing is that the nrpe client still complains about ssl :

nrpe[14134]: Error: Could not complete SSL handshake. 1

 

No difference without the payload size, meaning it’s not a payload issue maybe ?

# ./check_nrpe -n -H 10.242.226.62 -c check_disk -a 400 300 /
CHECK_NRPE: Receive header underflow - only -1 bytes received (4 expected).

nrpe[14788]: Error: Could not complete SSL handshake. 1

nrpe[14788]: Error: Could not complete SSL handshake. 1

check_nrpe 2.15 doesn’t work either without SSL :

# ./check_nrpe.ori -n -H 10.242.226.62 -c check_disk -a 400 300 /
CHECK_NRPE: Error receiving data from daemon.

Client keeps complaining about ssl :

nrpe[43208]: Error: Could not complete SSL handshake. 1

 

Userlevel 3
Badge +11

Hi @Shadok

Sorry for giving no answer for some days.

Would this workaround be a solution in your case? https://www.claudiokuenzler.com/blog/1115/check_nrpe-4.x-nsclient-5.x-ssl-error-could-not-complete-ssl-handshake

The link is about NSCLient, but the DH key length issue may apply to NRPE as well.

Hello @omse974 

Indeed, the cause is the dh key, this is not a new issue : https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650

But i don’t see how can i use a different key on the old nrpe clients without recompiling it and creating a new package.

I understood too why -n wasn’t working, it needs to be added on the client too, so the init.d / systemd file needs to be updated (but it would be lost at each package upgrade) :

https://support.nagios.com/forum/viewtopic.php?f=7&t=50342

Another option would be to duplicate the hostgroups and commands, to use the new check_nrpe for recent os and the old one for the others.

3 solutions, the latest seems the simplest.

Reply