centreon-plugins icon indicating copy to clipboard operation
centreon-plugins copied to clipboard

Published 20 hours ago verified publisher icon centreon

[centreon 22.04] centreon_plugin.pl nrpe SSL issue

Open ASLLR opened this issue 1 year ago • 6 comments

Hi everyone,

I am working on a migration from eon to centreon. Historically on eon we used the check_nrpe plugin to check our machines with this command for example ./check_nrpe -H thehostname -c check_cpu

Now, I want to use the centreon_plugin with this command: centreon_plugins.pl --plugin=apps::protocols::nrpe::plugin --custommode=nrpe --mode=query --hostname thehostname --command check_cpu

On the client side (it's the server) we use NRPE - Nagios Remote Plugin Executor Version: 4.0.3. The nrpe.cfg file not have any ssl option configured.

If i lauch the centreon command without change i've this message : UNKNOWN: No response from remote host on the client (server) we have Error: (!log_opts) Could not complete SSL handshake with XX.XX.XX.XX: 1

I can read the issue #1666 and if i add SSL options : --ssl-opt="SSL_cipher_list => 'ALL'" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE the result is UNKNOWN: Failed to establish SSL connection: , ssl_error=SSL connect attempt failed error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

The only way to function is on client side on /etc/default/nagios-nrpe-server adding the -n on NRPE_OPTS field.

I can see on tcpdump the difference between eon check and centreon check. Eon does a tlsv1.2 handshake and centreon does nothing.

But I don't want to lower my security level with this migration. Do you have any idea ?

Thank you in advance

ASLLR avatar Aug 16 '22 09:08 ASLLR

Have you tried to force a cipher: --ssl-opt="SSL_version => 'TLSv1'" ? (it will force TLS1.2)

garnier-quentin avatar Aug 16 '22 11:08 garnier-quentin

Hi @garnier-quentin thank you for your answer, the result with this option is UNKNOWN: Failed to establish SSL connection: , ssl_error=SSL connect attempt failed error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Best regards

ASLLR avatar Aug 16 '22 12:08 ASLLR

It's weird. i need to do a session to test it.

garnier-quentin avatar Aug 16 '22 12:08 garnier-quentin

Need to send me an email

garnier-quentin avatar Aug 18 '22 09:08 garnier-quentin

It works if the NRPE agent is configured with SSL parameters : ssl_cacert_file, ssl_cert_file and ssl_privatekey_file.

But this is not required, NRPE can be started without SSL certificates, here the debug informations:

SSL Certificate File: None
SSL Private Key File: None
SSL CA Certificate File: None
SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0
SSL Allow ADH: 0
SSL Client Certs: Don't Ask
SSL Log Options: 0xff
SSL Version: TLSv1 And Above
INFO: SSL/TLS initialized. All network traffic will be encrypted.

And in this case, the "apps::protocols::nrpe::plugin" don't work, but the official "check_nrpe" command can connect (and it really seems to be encrypted because it works without the "--no-ssl" option).

I suppose that NRPE agent and check_nrpe command can communicate with an old-style encryption mechanism that is not supported by the centreon nrpe plugin.

proxyconcept avatar Sep 07 '22 15:09 proxyconcept

You have an option the change the protocol version: --nrpe-version=3 (by default it's the old version: 2).

garnier-quentin avatar Sep 20 '22 08:09 garnier-quentin