Hello,
Error - Could not complete SSL handshake dh key too small
Im having troubles checking a windows client with nrpe3. I using Debian11 and Windows 2019 client:

This is my nsclient.ini:
[/settings/log]
; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = info
; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S
; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = ${exe-path}/nsclient.log
; A list of modules.
[/modules]
; CheckDisk - CheckDisk can check various file and disk related things.
CheckDisk = 1
; CheckEventLog - Check for errors and warnings in the event log.
CheckEventLog = 1
; CheckExternalScripts - Execute external scripts
CheckExternalScripts = 1
; CheckHelpers - Various helper function to extend other checks.
CheckHelpers = 1
; CheckNSCP - Use this module to check the health and status of NSClient++ itself
CheckNSCP = 1
; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1
; CheckWMI - CheckWMI can check various file and disk related things. The current version has commands to check Size of hard drives and directories.
CheckWMI = 1
; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1
; NSClient server - A simple server that listens for incoming NSClient (check_nt) connection and handles them. Although NRPE is the preferred method NSClient is fully supported and can be used for simplicity or for compatibility.
NSClientServer = 1
; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = 1
; WEBServer - A server that listens for incoming HTTP connection and processes incoming requests. It provides both a WEB UI as well as a REST API in addition to simplifying configuration of WEB Server module.
WEBServer = 1
; CheckNet - Network related check such as check_ping.
CheckNet = 1
Section for REST API
[/settings/WEB/server]
; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 0.0.0.0/0
; CACHE ALLOWED HOSTS - If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server.
cache allowed hosts = true
; PORT NUMBER - Port to use for REST API.
port = 8443
; CERTIFICATE - Ssl certificate to use for the ssl server
certificate = ${certificate-path}/certificate.pem
; Section for REST API roles
[/settings/WEB/server/roles]
limited=*.get
; Section for REST API users
[/settings/WEB/server/users/centreon]
password=centreon
role=limited
; Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
[/settings/NSClient/server]
; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true
; PERFORMANCE DATA - Send performance data back to nagios (set this to 0 to remove all performance data).
performance data = true
; PORT NUMBER - Port to use for check_nt.
port = 5666
[/settings/NRPE/server]
; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true
; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = true
; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
insecure = true
[/settings/default]
; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = CENTREONIP
password=public
; PORT NUMBER - Port to use for NRPE.
port = 5666
; Needed for long output, with check_centreon_nrpe
payload length = 8192
; EXTENDED RESPONSE - Send more then 1 return packet to allow response to go beyond payload size (requires modified client).
; extended response = true
; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true
; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = true
[/settings/external scripts]
allow arguments = 1
allow nasty characters = 1
script path=scripts\
[/settings/external scripts/scripts/default]
ignore perfdata = true
[/settings/external scripts/scripts]
check_logfiles=scripts\\centreon\\check_logfiles.exe $ARG1$
check_centreon_plugins=scripts\\centreon\\centreon_plugins.exe --plugin=$ARG1$ --mode=$ARG2$ $ARG3$
test1 = cmd /c echo scripts\powershell.ps1; exit($lastexitcode) | powershell.exe -command -
Im have also tried comment use SSL, INSECURE and NO-SSLV2 and NO-SSLV3.
In my old Centos work fine, it use nrpe, not nrpe3.
Thanks,
Best answer by christophe.niel-ACT
View original