nrpe Windows monitoring SSL handshake error

Having issues? Post them here, and help other users.
Post Reply
jcalvo
Junior Member
Posts: 7
Joined: Tue Aug 27, 2019 7:26 pm

nrpe Windows monitoring SSL handshake error

Post by jcalvo »

Hi community.
I saw something like this but on Linux, this is on a Windows server 2008 and 2012.

root@nems:/usr/local/nagios/libexec# ./check_nrpe -H 192.168.XX.X
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.XX.X: 1

But on the NEMS it self looks fine:
./check_nrpe -H localhost
NRPE v3.2.1

-------------------------------------------------------------------------------------------------------------------------

This is the nrpe version:

root@nems:/usr/lib/nagios/plugins# /usr/lib/nagios/plugins/check_nrpe --help

NRPE Plugin for Nagios
Version: 3.2.1

Copyright (c) 2009-2017 Nagios Enterprises
              1999-2008 Ethan Galstad ([email protected])

Last Modified: 2017-09-01

License: GPL v2 with exemptions (-l for more info)

SSL/TLS Available: OpenSSL 0.9.6 or higher required

- NS Client Version on the windows client:
0.4.3.143
newer version does not work at all, that's why I have this Version

- NS Client log shows this:
2019-08-27 12:20:28: error :D :\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connection: sslv3 alert handshake failure: 1040

- Firewall is OFF on a Client

- nsclient.ini :

# If you want to fill this file with all avalible options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; Undocumented section
[/settings/default]

; ALLOWED HOSTS - A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 127.0.0.1,::1,192.168.XX.XXX


; Undocumented section
[/settings/NRPE/server]

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  default-workarounds    Various workarounds for what I understand to be broken ssl implementations no-sslv2    Do not use the SSLv2 protocol. no-sslv3    Do not use the SSLv3 protocol. no-tlsv1    Do not use the TLSv1 protocol. single-dh-use    Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using "strong" primes (e.g. when using DSA-parameters).   
ssl options =

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  none    The server will not send a client certificate request to the client, so the client will not send a certificate. peer    The server sends a client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert    if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer. peer-cert    Alias for peer and fail-if-no-cert. workarounds    Various bug workarounds. single    Always create a new key when using tmp_dh parameters. client-once    Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer   
verify mode = none

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true


; Undocumented section
[/modules]

; NRPEServer - A server that listens for incoming NRPE connection and processes incoming requests.
NRPEServer = 1

; CheckSystem - Various system related checks, such as CPU load, process state, service state memory usage and PDH counters.
CheckSystem = 1

; NSClientServer - A server that listens for incoming check_nt connection and processes incoming requests.
NSClientServer = 1

; CheckExternalScripts - Execute external scripts
CheckExternalScripts = 1

; CheckHelpers - Various helper function to extend other checks.
CheckHelpers = 1

; NSCAClient - NSCA client can be used both from command line and from queries to submit passive checks via NSCA
NSCAClient = 1

; CheckEventLog - Check for errors and warnings in the event log.
CheckEventLog = 1

; CheckNSCP - Use this module to check the healt and status of NSClient++ it self
CheckNSCP = 1

; CheckDisk - CheckDisk can check various file and disk related things.
CheckDisk = 1


; A list of templates for wrapped scripts.
%SCRIPT% will be replaced by the actual script an %ARGS% will be replaced by any given arguments.
[/settings/external scripts/wrappings]

; POWERSHELL WRAPPING -
ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -

; BATCH FILE WRAPPING -
bat = scripts\\%SCRIPT% %ARGS%

; VISUAL BASIC WRAPPING -
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%


; A list of aliases available.
An alias is an internal command that has been predefined to provide a single command without arguments. Be careful so you don't create loops (ie check_loop=check_a, check_a=check_loop)
[/settings/external scripts/alias]

; alias_volumes_loose - Alias for alias_volumes_loose. To configure this item add a section called: /settings/external scripts/alias/alias_volumes_loose
alias_volumes_loose = check_drivesize

; alias_volumes - Alias for alias_volumes. To configure this item add a section called: /settings/external scripts/alias/alias_volumes
alias_volumes = check_drivesize

; alias_up - Alias for alias_up. To configure this item add a section called: /settings/external scripts/alias/alias_up
alias_up = check_uptime

; alias_sched_all - Alias for alias_sched_all. To configure this item add a section called: /settings/external scripts/alias/alias_sched_all
alias_sched_all = check_tasksched show-all "syntax=${title}: ${exit_code}" "crit=exit_code ne 0"

; alias_process_stopped - Alias for alias_process_stopped. To configure this item add a section called: /settings/external scripts/alias/alias_process_stopped
alias_process_stopped = check_process "process=$ARG1$" "crit=state != 'stopped'"

; alias_service - Alias for alias_service. To configure this item add a section called: /settings/external scripts/alias/alias_service
alias_service = check_service

; alias_process_hung - Alias for alias_process_hung. To configure this item add a section called: /settings/external scripts/alias/alias_process_hung
alias_process_hung = check_process "filter=is_hung" "crit=count>0"

; alias_process_count - Alias for alias_process_count. To configure this item add a section called: /settings/external scripts/alias/alias_process_count
alias_process_count = check_process "process=$ARG1$" "warn=count > $ARG2$" "crit=count > $ARG3$"

; alias_process - Alias for alias_process. To configure this item add a section called: /settings/external scripts/alias/alias_process
alias_process = check_process "process=$ARG1$" "crit=state != 'started'"

; alias_mem - Alias for alias_mem. To configure this item add a section called: /settings/external scripts/alias/alias_mem
alias_mem = check_memory

; alias_file_size - Alias for alias_file_size. To configure this item add a section called: /settings/external scripts/alias/alias_file_size
alias_file_size = check_files "path=$ARG1$" "crit=size > $ARG2$" "top-syntax=${list}" "detail-syntax=${filename] ${size}" max-dir-depth=10

; alias_disk - Alias for alias_disk. To configure this item add a section called: /settings/external scripts/alias/alias_disk
alias_disk = check_drivesize

; alias_cpu_ex - Alias for alias_cpu_ex. To configure this item add a section called: /settings/external scripts/alias/alias_cpu_ex
alias_cpu_ex = check_cpu "warn=load > $ARG1$" "crit=load > $ARG2$" time=5m time=1m time=30s

; alias_file_age - Alias for alias_file_age. To configure this item add a section called: /settings/external scripts/alias/alias_file_age
alias_file_age = check_files "path=$ARG1$" "crit=written > $ARG2$" "top-syntax=${list}" "detail-syntax=${filename] ${written}" max-dir-depth=10

; alias_cpu - Alias for alias_cpu. To configure this item add a section called: /settings/external scripts/alias/alias_cpu
alias_cpu = check_cpu

; alias_event_log - Alias for alias_event_log. To configure this item add a section called: /settings/external scripts/alias/alias_event_log
alias_event_log = check_eventlog

; alias_service_ex - Alias for alias_service_ex. To configure this item add a section called: /settings/external scripts/alias/alias_service_ex
alias_service_ex = check_service "exclude=Net Driver HPZ12" "exclude=Pml Driver HPZ12" exclude=stisvc

; alias_disk_loose - Alias for alias_disk_loose. To configure this item add a section called: /settings/external scripts/alias/alias_disk_loose
alias_disk_loose = check_drivesize

; alias_sched_task - Alias for alias_sched_task. To configure this item add a section called: /settings/external scripts/alias/alias_sched_task
alias_sched_task = check_tasksched show-all "filter=title eq '$ARG1$'" "detail-syntax=${title} (${exit_code})" "crit=exit_code ne 0"

; alias_sched_long - Alias for alias_sched_long. To configure this item add a section called: /settings/external scripts/alias/alias_sched_long
alias_sched_long = check_tasksched "filter=status = 'running'" "detail-syntax=${title} (${most_recent_run_time})" "crit=most_recent_run_time < -$ARG1$"

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

THX!!
Scanner
Junior Member
Posts: 1
Joined: Thu Sep 19, 2019 7:02 am

RE: nrpe Windows monitoring SSL handshake error

Post by Scanner »

I spent the last 3 days trying to wrap my head around this system, i'm a newbie at this so here goes.
as there is no documentation yet on the adding host and services, most of this is trial and error.

I tested this on Win 7 server 2008 and server 2019, and in all cases had SSL errors, but only for these three services. the rest are fine
Check disk space of /var                               CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.10.66: 1
Check the root filesystem disk space             CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.10.66: 1
Memory Usage NRPE                                    CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.10.66: 1

all of these services are running the command check_nrpe, whereas the other services (the ones that are  OK) do not, they have their own check_***

I haven't tested this on linux as all the servers i need to monitor are windows.
for now i can remove those offending services from the hosts as i'm guessing they are being duplicated and do not apply to windows systems
"Check the root filesystem disk space" is aready covered by "C:\Drive Space"
"Memory Usage NRPE"  covered by "memory usage"
I have no idea what "check disk space of /var is all about"
User avatar
whittakerj
Junior Member
Posts: 7
Joined: Mon Sep 16, 2019 10:19 pm

RE: nrpe Windows monitoring SSL handshake error

Post by whittakerj »

I don't remember exactly what I did to fix mine but I saved this link which ultimately helped me resolve it. 

https://github.com/NagiosEnterprises/nrpe/issues/173
Post Reply