5

I'm trying to configure Nagios command for checking status of physical memory on a remote Windows host using NRPE plugin. I'm using Nagios v3.0.6 on Ubuntu Server v14.10, and latest stable version of NSClient++ 0.4.3. Here are the snippets from the config files:

define command {
          command_name check_ph_mem
          command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -p 5666 -c CheckMEM -a MaxWarn=$ARG1$% MaxCrit=$ARG2$% ShowAl$
}

and

define service{
        host_name               remote-win-host
        service_description     Check Memory NRPE
        check_command           check_ph_mem
        use                     generic-service
}

Nagios could not retrieve any information from this command because when I execute 

/usr/lib/nagios/plugins/check_nrpe -H  192.168.1.150

it gives back following error:

CHECK_NRPE: Error - Could not complete SSL handshake.

I've tried with reconfiguring part of C:\Program Files\NSClient++\nsclient.ini in following way:

[/settings/NRPE/server]

allow arguments = true

allowed hosts = 192.168.1.15

port = 5666

but it gives back the same error. I've already read dozens similar topics and tried different advices, but I still have the same issue.

Do you have any idea how to fix this?

Marko
  • 51
  • 1
  • 1
  • 3
  • The version of check_nrpe (2.10? 2.12?) in Ubuntu 9.10 might be too old to work with the 0.4 branch of nsclient++. Can you try a newer/supported version of Ubuntu? – Keith Feb 17 '15 at 17:20
  • I've tried with new version of Ubuntu 14.10 server, but problem remains. Ubuntu version (in question) is changed from 9.10 to 14.10 . – Marko Feb 18 '15 at 12:15

4 Answers4

7

If you are using NSCP-0.4.3.x (rather then NSCP-0.4.2.x) on your Windows Host, then certificate based authentication became the default authentication method. That´s why your check isn´t working. To work around the issue you need to add the following to your config:

[/settings/NRPE/server]
insecure = true

After that you need to restart the NSClient++ Service. More infos can be found here (6.1 What is insecure mode)

BastianW
  • 2,848
  • 4
  • 19
  • 34
4

In my case I had to add under:

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.

the next two lines:

insecure = true

allow arguments = true

and change under:

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket

from 

verify mode = peer-cert

to

verify mode = none
SysManSD
  • 41
  • 2
1

Using NSClient++ 0.5.2.39 and check_nrpe 3.2.1, here's what worked for me:

  1. Generate DH key on Linux machine (it takes a long time)

    openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'

  2. Paste your DH key to newly created file C:\Program Files\NSClient++\security\nrpe_dh_2048.pem

  3. Edit C:\Program Files\NSClient++\nsclient.ini:

    [/settings/NRPE/server]
dh = ${certificate-path}/nrpe_dh_2048.pem

  4. Restart NSClient++ service: net stop nscp && net start nscp

This is based on the wonderful article http://hodza.net/2019/09/21/failed-to-establish-secure-connection-sslv3-alert-handshake-failure-1040/

simon04
  • 325
  • 2
  • 5
0

Edit your nsclient.ini file and set parameter as below, its work for me:

[/settings/NRPE/server]
allow arguments = 1
allow nasty_meta chars = 1
allowed hosts = 10.10.83.94,127.0.0.1
port = 5666
use SSL = 1   
ssl options = no-sslv2,no-sslv3  
verify mode = none
insecure = true
Drifter104
  • 3,693
  • 2
  • 22
  • 39
Avinash
  • 1
  • 1