Solved

Checl NRPE Could not complete SSL handshake

  • 16 November 2023
  • 8 replies
  • 1523 views

Badge +4

Hello,

Error -  Could not complete SSL handshake dh key too small

 

Im having troubles checking a windows client with nrpe3. I using Debian11 and Windows 2019 client:

This is my nsclient.ini:

[/settings/log]
; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = info
; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S
; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = ${exe-path}/nsclient.log

; A list of modules.
[/modules]
; CheckDisk - CheckDisk can check various file and disk related things.
CheckDisk = 1
; CheckEventLog - Check for errors and warnings in the event log.
CheckEventLog = 1
; CheckExternalScripts - Execute external scripts
CheckExternalScripts = 1
; CheckHelpers - Various helper function to extend other checks.
CheckHelpers = 1
; CheckNSCP - Use this module to check the health and status of NSClient++ itself
CheckNSCP = 1
; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1
; CheckWMI - CheckWMI can check various file and disk related things. The current version has commands to check Size of hard drives and directories.
CheckWMI = 1
; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1
; NSClient server - A simple server that listens for incoming NSClient (check_nt) connection and handles them. Although NRPE is the preferred method NSClient is fully supported and can be used for simplicity or for compatibility.
NSClientServer = 1
; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = 1
; WEBServer - A server that listens for incoming HTTP connection and processes incoming requests. It provides both a WEB UI as well as a REST API in addition to simplifying configuration of WEB Server module.
WEBServer = 1
; CheckNet - Network related check such as check_ping.
CheckNet = 1

Section for REST API
[/settings/WEB/server]
; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 0.0.0.0/0

; CACHE ALLOWED HOSTS - If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server.
cache allowed hosts = true

; PORT NUMBER - Port to use for REST API.
port = 8443

; CERTIFICATE - Ssl certificate to use for the ssl server
certificate = ${certificate-path}/certificate.pem

; Section for REST API roles
[/settings/WEB/server/roles]
limited=*.get

; Section for REST API users
[/settings/WEB/server/users/centreon]
password=centreon
role=limited

; Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.

[/settings/NSClient/server]
; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true
; PERFORMANCE DATA - Send performance data back to nagios (set this to 0 to remove all performance data).
performance data = true
; PORT NUMBER - Port to use for check_nt.
port = 5666

[/settings/NRPE/server]
; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = true

; Undocumented key
ssl options = no-sslv2,no-sslv3
; Undocumented key
insecure = true

[/settings/default]
; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = CENTREONIP

password=public

; PORT NUMBER - Port to use for NRPE.
port = 5666

; Needed for long output, with check_centreon_nrpe
payload length = 8192

; EXTENDED RESPONSE - Send more then 1 return packet to allow response to go beyond payload size (requires modified client).
; extended response = true

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = true

[/settings/external scripts]
allow arguments = 1
allow nasty characters = 1
script path=scripts\

[/settings/external scripts/scripts/default]
ignore perfdata = true

[/settings/external scripts/scripts]
check_logfiles=scripts\\centreon\\check_logfiles.exe $ARG1$
check_centreon_plugins=scripts\\centreon\\centreon_plugins.exe --plugin=$ARG1$ --mode=$ARG2$ $ARG3$
test1 = cmd /c echo scripts\powershell.ps1; exit($lastexitcode) | powershell.exe -command -

Im have also tried comment use SSL, INSECURE and NO-SSLV2 and NO-SSLV3.

In my old Centos work fine, it use nrpe, not nrpe3.

 

Thanks,

icon

Best answer by christophe.niel-ACT 20 November 2023, 10:51

View original

8 replies

Badge +7

Hello,

We had that same problem when migrating from Centos to Debian. We managed to solve it by following the instructions on this page

https://hodza.net/2019/09/21/failed-to-establish-secure-connection-sslv3-alert-handshake-failure-1040/

I hope it solves your problem too.

 

Best regards,

Badge +4

Hello,

We had that same problem when migrating from Centos to Debian. We managed to solve it by following the instructions on this page

https://hodza.net/2019/09/21/failed-to-establish-secure-connection-sslv3-alert-handshake-failure-1040/

I hope it solves your problem too.

 

Best regards,

 

Hello carnabil, thanks for the answer.

 

We have many servers using this check, the problem is that we cannot configure them all one by one.

Is there not another option to config in nsclient.ini ?

Is there another remote checking method similar to nsclient?

 

Regards,

Userlevel 5
Badge +14

hello

your config file is a bit strange :

in this section

[/settings/NRPE/server]

you have put undocumented stuff, then there another section header

[/settings/default]

and the settings here should be in the previous section. (like use ssl = true)

I think doing that is not enabling the SSL  in the NRPE Server.

 

here is the default nsclient nrpe section out of the setup downloaded here : Download Centreon | Open Source IT Infrastructure Monitoring Tool

; Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
[/settings/NRPE/server]

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = true

; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 0.0.0.0/0

; PORT NUMBER - Port to use for NRPE.
port = 5666

; Needed for long output, with check_centreon_nrpe
payload length = 8192

; EXTENDED RESPONSE - Send more then 1 return packet to allow response to go beyond payload size (requires modified client).
; extended response = true

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = true

there is no section [/settings/default] at all in the original file.

(maybe you modify too many things, or you are using an old ini file that didn’t come from the centreon package, I would suggest you try to install the centreon nsclient package somewhere, and look at the original nsclient.ini here)

 

 

you could also try “use ssl = false” and “--no-ssl” in your check_nrpe command, I don’t find this solution acceptable, 

but you would need to modify all the ini file on every server.

 

next if the previous post with the DH file generated with openssl and the nscp option “nscp settings --path /settings/NRPE/server --key dh --set "${certificate-path}/nrpe_dh_2048.pem"”

this is just adding : 

; DH KEY - 
dh = ${certificate-path}/nrpe_dh_2048.pem

in the [/settings/NRPE/server] section just after use ssl = true

 

so basically what you need to do is have clean “.ini” file where you have added the DH line, a clean “nrpe_dh_2048.pem” file and copy that on each windows server

a simple script to copy them on

“\\xxxx\c$\Program Files\centreon-nsclient\NSClient++\” for the ini and

“\\xxxx\c$\Program Files\centreon-nsclient\NSClient++\secure” for the pem file

(if you have installed nsclient with this path, assuming you have admin rights, a domain, or something. or you could use a packaging software, but basically there are no shortcut, you need to modify ALL the ini file and put the PEM on ALL the servers)

and then do a restart of nscp (also with the script)

 

(also if you do that I would suggest you also copy the latest plugin pack Releases · centreon/centreon-nsclient-build (github.com) rename it and put it in the scripts/centreon folder on each of your servers)

 

 

Is there another remote checking method similar to nsclient?

 

for this question, I personnaly use the web api of nsclient, not nrpe. a bit different, but same result mostly, it uses the web api on port 8443, a login/password, and you have less ssl issue than with nrpe

(your config file show you have that enabled)

alternatively, there is a new software “SNClient” that is currently being developped and has the purpose to replace nsclient that is no longer maintained.

ConSol-Monitoring/snclient: SNClient+ - Cross platform monitoring agent (github.com)

there are some missing features as of today, but it is in progress, all the basic stuff seems to be ready (no check eventlog and no check process yet, work in progress)

 

Badge +4

hello

 

Thanks for the answer christophe.

I have done the configuration but is still is not working:
I have the C:\Program Files\NSClient++\security\nrpe_dh_2048.pem file

This is my .ini:

# If you want to fill this file with all available options run the following command:
# nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
# nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help

[/settings/log]

; LOG LEVEL - Log level to use. Available levels are error,warning,info,debug,trace
level = info

; DATEMASK - The size of the buffer to use when getting messages this affects the speed and maximum size of messages you can recieve.
date format = %Y-%m-%d %H:%M:%S

; FILENAME - The file to write log data to. Set this to none to disable log to file.
file name = ${exe-path}/nsclient.log

; A list of modules.
[/modules]

; CheckDisk - CheckDisk can check various file and disk related things.
CheckDisk = 1

; CheckEventLog - Check for errors and warnings in the event log.
CheckEventLog = 1

; CheckExternalScripts - Execute external scripts
CheckExternalScripts = 1

; CheckHelpers - Various helper function to extend other checks.
CheckHelpers = 1

; CheckNSCP - Use this module to check the health and status of NSClient++ itself
CheckNSCP = 1

; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1

; CheckTaskSched - Check status of your scheduled jobs.
CheckTaskSched = 1

; WEBServer - A server that listens for incoming HTTP connection and processes incoming requests. It provides both a WEB UI as well as a REST API in addition to simplifying configuration of WEB Server module.
WEBServer = 0

; CheckNet - Network related check such as check_ping.
CheckNet = 1

; Section for REST API
[/settings/WEB/server]

; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 0.0.0.0/0

;CACHE ALLOWED HOSTS - If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server.
cache allowed hosts = true

; PORT NUMBER - Port to use for REST API.
port = 8443s

;PASSWORD - Password used to authenticate against server
password = centreon

; CERTIFICATE - Ssl certificate to use for the ssl server
certificate = ${certificate-path}/certificate.pem

; Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
[/settings/NRPE/server]

; COMMAND ARGUMENT PROCESSING - This option determines whether or not the we will allow clients to specify arguments to commands that are executed.
allow arguments = true

; COMMAND ALLOW NASTY META CHARS - This option determines whether or not the we will allow clients to specify nasty (as in |`&><'"\[]{}) characters in arguments.
allow nasty characters = true

; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = CENTREONIP

; PORT NUMBER - Port to use for NRPE.
port = 5666

; Needed for long output, with check_centreon_nrpe
payload length = 8192

; EXTENDED RESPONSE - Send more then 1 return packet to allow response to go beyond payload size (requires modified client).
; extended response = true

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = true

; DH KEY -
dh = ${certificate-path}/nrpe_dh_2048.pem

[/settings/external scripts]
allow arguments = 1
allow nasty characters = 1

[/settings/external scripts/scripts/default]
ignore perfdata = true

[/settings/external scripts/scripts]
check_logfiles=scripts\\centreon\\check_logfiles.exe $ARG1$
check_centreon_plugins=scripts\\centreon\\centreon_plugins.exe --plugin=$ARG1$ --mode=$ARG2$ $ARG3$

test1 = cmd /c echo scripts\powershell.ps1; exit($lastexitcode) | powershell.exe -command -

And this is the test command:

root@VMCENTREON:/usr/lib/nagios/plugins# ./check_centreon_nrpe3 -H CLIENTIP -c test1
CHECK_NRPE STATE CRITICAL: Socket timeout after 20 seconds.

 

Is there some log to check the error ?

 

Userlevel 5
Badge +14

you have a “nsclient.log” in the nsclient folder, but it may not have interesing information (check it anyway in case of local errors just in case)

 

but your command is wrong, you have a 8192 byte payload in the nsclient,ini, and you should have this in your nrpe command, the test command is in the documentation : Windows NRPE 0.5 | Centreon Documentation 

 

./check_centreon_nrpe3 -H X.X.X.X -p 5666 -u -2 -P 8192

should respond with that :

I (0.5.2.41 2018-04-26) seem to be doing fine…
 

./check_centreon_nrpe3 -H X.X.X.X -p 5666     (without -u 2 -P 8192)

this gives me 

CHECK_NRPE STATE CRITICAL: Socket timeout after 10 seconds.
 

in the documentation if you use the template nsclient05-nrpe you should have these extra option in the command

Badge +4

 

Sorry about that, including -p 5666 -u -2 -P 8192  its work fine.

You said you prefer web api of nsclient you mean this command > centreon_nsclient_restapi.pl ?

 

Thanks again for help !

Userlevel 5
Badge +14

hello

yes, this is the command/template I’m using (because nrpe was not upgraded when we started using centreon, and for some reason we stuck with it)

 

both are doing the same thing basically, it’s just the way to communicate with NSCLIENT and all the check are the same. Both will use ssl and may have the same issue if debian ask for a updated DH strength to 2048 (the restapi will use curl, that will use the cryptography lib of the linux OS, so maybe you will have the same problem)

so if it working with NRPE and you already are using NRPE on your host, stay with it.

 

 

I fear the moment I will upgrade my poller to a much more recent linux distro (alma9) and will get the same issue as you for the thousand of windows I have in centreon ;)

 

Badge +4

hello

 

Yes, now im modifying somes templates and commands after migration…

Thanks again for help !

Reply