Hello,
I got this error on several services using the api plugins
Anyone know how to fix it?
i made a search about this in forum but the only thread with it did not help…
Page 1 / 2
You can take a look on this for SSH key exchange
Already try those arguments but did not work.
You can take a look on this for SSH key exchange
i am gonna test it later. thanks
Edit : this link helps to set ssh key exchange from poller to central, its not my issue. thks anyway
So could you be more precise according your trouble ?
Is it between a poller and a client ?
If this is the case, into the link you’ve got the tips to follow to add the keys.
HTH
Pascal
So could you be more precise according your trouble ?
Is it between a poller and a client ?
If this is the case, into the link you’ve got the tips to follow to add the keys.
HTH
Pascal
of course i can, i am trying to set several official plugins from centreon : wsus, active directory, exchange.
I got the exact same message for those 3 plugins :
i have a central with poller and database who trying to get information from several hosts (wsus, active directory, exchange).
the the common denominator between all those hosts is that they all using the same port to get those services : 8443.
if I don't make a mistake the link you gave is to set the ssh connection from poller to host.
Also i tried to connect to nscp web interface but did not work on the hosts.
i really dont understand whats going on.
Are you sure that your secure connection on the target, using the 8443 port get a certificat ?
Are you sure that your secure connection on the target, using the 8443 port get a certificat ?
honestly no, how can i be sure about that?, i do not know a lot about certificate
Edit : i tried to add this to command
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /=a-zA-Z]/" --verbose' --http-backend=curl
UNKNOWN: curl perform error : Peer certificate cannot be authenticated with given CA certificates
or
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /na-zA-Z]/" --verbose' --http-backend=curl --insecure
UNKNOWN: 403 Forbidden
or
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /ua-zA-Z]/" --verbose' --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE
>
Nothing happens with last one
or
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /na-zA-Z]/" --verbose' --ssl=ignore-errors
UNKNOWN: 500 Can't connect to 10.XX.10.XX:8443 (certificate verify failed)
or
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /ia-zA-Z]/" --verbose' --curl-opt="CURLOPT_SSL_VERIFYPEER => 0"
UNKNOWN: 500 Can't connect to 10.XX.10.XX:8443 (certificate verify failed)
hi
the one that returns nothing is the right syntax, at least that’s what I have in all my nsclient restapi calls
you just forgot the last double quote after none
hi
the one that returns nothing is the right syntax, at least that’s what I have in all my nsclient restapi calls
you just forgot the last double quote after none
well seen, i added the last double quote but still got this error, it s like it does not take the ssl mode…
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /na-zA-Z]/" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --verbose'
UNKNOWN: 500 Can't connect to 10.XX.10.XX:8443 (certificate verify failed)
be aware of the single quotes in the multiple “--args” options, the “--ssl-opt” is an argument you need to pass to the linux perl command, if you include it in a --arg option it will be passed to the windows command
in your last command everything in bold is in the last --arg, all is between 2 single quotes ‘ ‘
(notice how everything inside this block use double quotes “”)
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /va-zA-Z]/" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --verbose'
here is the same command, but I took the ssl options out of the last --arg:
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /da-zA-Z]/" --verbose’
usually you give this --ssl-opt to the host extra options macro, so it is placed automatically and you don’t have to do it manually
be aware of the single quotes in the multiple “--args” options, the “--ssl-opt” is an argument you need to pass to the linux perl command, if you include it in a --arg option it will be passed to the windows command
in your last command everything in bold is in the last --arg, all is between 2 single quotes ‘ ‘
(notice how everything inside this block use double quotes “”)
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /va-zA-Z]/" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --verbose'
here is the same command, but I took the ssl options out of the last --arg:
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /da-zA-Z]/" --verbose’
usually you give this --ssl-opt to the host extra options macro, so it is placed automatically and you don’t have to do it manually
Even if what you're telling me seems clear when I look at the order, it looks very confused with single and double quotes all over the place, so I've tried to rework the order with some logic.
Can you tell me what you think?
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.3.10.93' --port='8443' --proto='https' --legacy-password='***' --ssl-opt='SSL_verify_mode => SSL_VERIFY_NONE' --command=check_centreon_plugins --arg="apps::microsoft::exchange::local::plugin" --arg="services" --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /Ta-zA-Z]/" --verbose
Unknown option: warning at /usr/lib/centreon/plugins//centreon_nsclient_restapi.pl line 472.
maybe centreon is waiting for a warning argument
Hello
so I've tried to rework the order with some logic
please DON’T
there is a reason for single quote and double quotes, remember the commad is generated by php from a mysql database, the it is run on a linux in bash, will go through a webservice on windows, that will then run a command based on some parameters….
do not play with quotes. (single quotes allow the bash to put double quotes in what it will send to windows)
back to the basic problem, there is a centreon command in the database, it is used by a service template in a host template using windows nrpe
you should not have to use the command manually, and here is how you setup the ssl-opt properly
On centreon UI you should go in “configuration / Hosts / Template”
look for “OS-Windows-NSClient-05-Restapi-custom”
in the Custom macros you should have this, notice the one in white I modified with the ssl-opt
I put that in the box for the NSCPRESTAPIEXTRAOPTIONS
--ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"
this will be put automatically in all command run on a host with that template.
I don’t know if you have put the windows nsclient template or just the app-exchange template, but you should have a “OS” template on your host before the “app” template
the “OS” initialize a lot of macro/options
your host should have this templates (in this order)
here the “command” for exchange you are using
the ssl-opt will be but where I marked in yellow, everything else you have pasted here is genrated from that,
so once again, don’t play with the quotes, they are setup in this command
finally, if you don’t want to use host template, ok fine, but you must add the custom macro for the nsclient option on the host, including the one with the extra options I mentionned above
Hello
so I've tried to rework the order with some logic
please DON’T
there is a reason for single quote and double quotes, remember the commad is generated by php from a mysql database, the it is run on a linux in bash, will go through a webservice on windows, that will then run a command based on some parameters….
do not play with quotes. (single quotes allow the bash to put double quotes in what it will send to windows)
back to the basic problem, there is a centreon command in the database, it is used by a service template in a host template using windows nrpe
you should not have to use the command manually, and here is how you setup the ssl-opt properly
On centreon UI you should go in “configuration / Hosts / Template”
look for “OS-Windows-NSClient-05-Restapi-custom”
in the Custom macros you should have this, notice the one in white I modified with the ssl-opt
I put that in the box for the NSCPRESTAPIEXTRAOPTIONS
--ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"
this will be put automatically in all command run on a host with that template.
I don’t know if you have put the windows nsclient template or just the app-exchange template, but you should have a “OS” template on your host before the “app” template
the “OS” initialize a lot of macro/options
your host should have this templates (in this order)
here the “command” for exchange you are using
the ssl-opt will be but where I marked in yellow, everything else you have pasted here is genrated from that,
so once again, don’t play with the quotes, they are setup in this command
finally, if you don’t want to use host template, ok fine, but you must add the custom macro for the nsclient option on the host, including the one with the extra options I mentionned above
so
and for the command
the response sent by the command
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /ra-zA-Z]/" --verbose'
-bash: /usr/lib/centreon/plugins//centreon_nsclient_restapi.pl: No such file or directory
Hello
so I've tried to rework the order with some logic
please DON’T
there is a reason for single quote and double quotes, remember the commad is generated by php from a mysql database, the it is run on a linux in bash, will go through a webservice on windows, that will then run a command based on some parameters….
do not play with quotes. (single quotes allow the bash to put double quotes in what it will send to windows)
back to the basic problem, there is a centreon command in the database, it is used by a service template in a host template using windows nrpe
you should not have to use the command manually, and here is how you setup the ssl-opt properly
On centreon UI you should go in “configuration / Hosts / Template”
look for “OS-Windows-NSClient-05-Restapi-custom”
in the Custom macros you should have this, notice the one in white I modified with the ssl-opt
I put that in the box for the NSCPRESTAPIEXTRAOPTIONS
--ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"
this will be put automatically in all command run on a host with that template.
I don’t know if you have put the windows nsclient template or just the app-exchange template, but you should have a “OS” template on your host before the “app” template
the “OS” initialize a lot of macro/options
your host should have this templates (in this order)
here the “command” for exchange you are using
the ssl-opt will be but where I marked in yellow, everything else you have pasted here is genrated from that,
so once again, don’t play with the quotes, they are setup in this command
finally, if you don’t want to use host template, ok fine, but you must add the custom macro for the nsclient option on the host, including the one with the extra options I mentionned above
so
and for the command
the response sent by the command
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***' --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /ra-zA-Z]/" --verbose'
-bash: /usr/lib/centreon/plugins//centreon_nsclient_restapi.pl: No such file or directory
Hello
so I've tried to rework the order with some logic
please DON’T
there is a reason for single quote and double quotes, remember the commad is generated by php from a mysql database, the it is run on a linux in bash, will go through a webservice on windows, that will then run a command based on some parameters….
do not play with quotes. (single quotes allow the bash to put double quotes in what it will send to windows)
back to the basic problem, there is a centreon command in the database, it is used by a service template in a host template using windows nrpe
you should not have to use the command manually, and here is how you setup the ssl-opt properly
On centreon UI you should go in “configuration / Hosts / Template”
look for “OS-Windows-NSClient-05-Restapi-custom”
in the Custom macros you should have this, notice the one in white I modified with the ssl-opt
I put that in the box for the NSCPRESTAPIEXTRAOPTIONS
--ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"
this will be put automatically in all command run on a host with that template.
I don’t know if you have put the windows nsclient template or just the app-exchange template, but you should have a “OS” template on your host before the “app” template
the “OS” initialize a lot of macro/options
your host should have this templates (in this order)
here the “command” for exchange you are using
the ssl-opt will be but where I marked in yellow, everything else you have pasted here is genrated from that,
so once again, don’t play with the quotes, they are setup in this command
finally, if you don’t want to use host template, ok fine, but you must add the custom macro for the nsclient option on the host, including the one with the extra options I mentionned above
this is how it is
and
/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.3.10.93' --port='8443' --proto='https' --legacy-password='***' --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services' --arg=' --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /ua-zA-Z]/" --verbose'
UNKNOWN: 403 Forbidden
ah, 403 Forbidden is better (i guess)
this could be multiple cause:
1 tcp port used by another process
could you stop “nsclient” service on the windows host and check with
netstat -an | finstr 8443
if there is a line in the ouput of the command, then you have something else listening on the tcp port 8443 (usually a java/tomcat service, or another software, you can check in the windows ressource monitor)
if that’s the case, you would need to change the http port by something unused (I use 5443 for example) in nsclient.ini and override the custom macro for the port and put the same value (5443)
you can change the port in the nsclient.ini
[/settings/WEB/server]
port = 5443s
2 wrong password
in the nsclient.ini, section web server
[/settings/WEB/server]
password = xyz
this the “legacy password”, make sure the value match your ** password
3 address of the centreon poller not allowed in the nsclient.ini
also in the nsclient.ini, section
[/settings/WEB/server]
; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 10.10.10.1, mypoller, 192.168.10.*
Allowed hosts should include or match exactly your poller (ip address, range, or dns name)
ah, 403 Forbidden is better, at least you went up in the osi layer 
.
this could be multiple cause:
1 tcp port used by another process
could you stop “nsclient” service on the windows host and check with
netstat -an | finstr 8443
if there is a line in the ouput of the command, then you have something else listening on the tcp port 8443 (usually a java/tomcat service, or another software, you can check in the windows ressource monitor)
if that’s the case, you would need to change the http port by something unused (I use 5443 for example) in nsclient.ini and override the custom macro for the port and put the same value (5443)
you can change the port in the nsclient.ini
[/settings/WEB/server]
port = 5443s
2 wrong password
in the nsclient.ini, section web server
[/settings/WEB/server]
password = xyz
this the “legacy password”, make sure the value match your ** password
3 address of the centreon poller not allowed in the nsclient.ini
also in the nsclient.ini, section
[/settings/WEB/server]
; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 10.10.10.1, mypoller, 192.168.10.*
Allowed hosts should include or match exactly your poller (ip address, range, or dns name)
tried another port, changed password, nothing changed still same error
i tried all commands with --debug on the central
i got the same debug message at each time
======> response done
HTTP/1.0 403 Forbidden
Content-Length: 22
Client-Date: Thu, 05 Oct 2023 14:01:12 GMT
Client-Peer: 10.3.10.93:8443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /CN=localhost
Client-SSL-Cert-Subject: /CN=localhost
Client-SSL-Cipher: AES256-GCM-SHA384
Client-SSL-Socket-Class: IO::Socket::SSL
Client-SSL-Version: TLSv1_2
403 Please login first
What this means?
Where to login?
Up , if anyone can help.
when you got the “unknown error : cannot load module --plugin….”, that was the most correct thing you got to.
This it is NOT the same error as 403 forbidden, it means “you managed to connect, but there is an issue on you windows host and the exchange plugin is not working”
can you please be sure to be at that point consistently?, it was a regression when you got a 403 on your last post
when you are sure to get that “cannot load module”, there is more debugging to do apparently.
next is your installation of centreon-plugins.exe in your nsclient, and maybe it is not up to date :
easy fix, just download it from here : Releases · centreon/centreon-nsclient-build (github.com) and put it in the right nsclient folder.
or maybe there is an issue on you windows host preventing the plugin to create its temporary working folder in c:\windows\temp\par----- (which could come from an antivirus for example)
when you got the “unknown error : cannot load module --plugin….”, that was the most correct thing you got to.
This it is NOT the same error as 403 forbidden, it means “you managed to connect, but there is an issue on you windows host and the exchange plugin is not working”
can you please be sure to be at that point consistently?, it was a regression when you got a 403 on your last post
when you are sure to get that “cannot load module”, there is more debugging to do apparently.
next is your installation of centreon-plugins.exe in your nsclient, and maybe it is not up to date :
easy fix, just download it from here : Releases · centreon/centreon-nsclient-build (github.com) and put it in the right nsclient folder.
or maybe there is an issue on you windows host preventing the plugin to create its temporary working folder in c:\windows\temp\par----- (which could come from an antivirus for example)
it's really strange in the centreon web interface I have "cannot load module" but when I enter the command in the central server I get the 403 error.
I can't understand why the same command would produce two different messages.
I didn’t want to delve here.
I don’t know your infrastructure, do you have a central with pollers? if yes you should run the command from the poller, not the central (there may be an issue with the ‘allowed host’ in the nsclient.ini, or local windows FW issues)
and whatever your infra is like, there may be issue with command line you typed in the shell, be sure to get the one generated by centreon (from the resource detail panel in the bottom with the “copy” button), and be sure to be admin to be able to get the correct password in that command line
but that is a different issue ; it doesn’t help for the debugging of the plugin, but if you get the cannot load module on the web interface at least something is working
for debugging purpose, please paste this command line (hide your password), I have an exchange somewhere, I’ll try your command “as is” with my password and IP
I didn’t want to delve here.
I don’t know your infrastructure, do you have a central with pollers? if yes you should run the command from the poller, not the central (there may be an issue with the ‘allowed host’ in the nsclient.ini, or local windows FW issues)
and whatever your infra is like, there may be issue with command line you typed in the shell, be sure to get the one generated by centreon (from the resource detail panel in the bottom with the “copy” button), and be sure to be admin to be able to get the correct password in that command line
but that is a different issue ; it doesn’t help for the debugging of the plugin, but if you get the cannot load module on the web interface at least something is working
for debugging purpose, please paste this command line (hide your password), I have an exchange somewhere, I’ll try your command “as is” with my password and IP
My central is my poller, db centreon , we got everything on it even bam except map & mbi
i updated the centreon-plugins.exe in ns client folder and now the answer is different
you went back to “can’t connect” and “connexion refused”, which is not good. replacing centreon-plugins.exe in the script subfolder should not impact NSCLIENT, you don’t even have to restart it.
if you didn’t modify the nsclient.ini this really looks like there is something interfering with the https on tcp8443 on your windows hosts
this is a network problem or config problem on the windows side 
(are you sure about the cause “1” I listed in a previous post above, about multiple service/program using the TCP8443 port?)
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.