Problem with active checks on MacOS 13.3.1

[Fatboydrunk]

I have installed the NCPA 2.4.1 on MacOS 13.3.1 But the active checks (check_ncpa.py) from my nagios core server are returning: An error occurred:HTTP Error 500: INTERNAL SERVER ERROR

Is the agent compatiable with MacOS 13.3.1?

[MrPippin66]

What are the NCPA logs showing?

[Fatboydrunk]

I can't see any logs, it's meant to be in /var/log/ncpa_listener.log but the log file isn't there.

I think the problem is to do with a TLS mismatch. If I run a curl the nagios server: curl -vik https://192.168.40.40:5693/api/system/agent_version?token=mytoken

The output is:

• Trying 192.168.40.40...
• TCP_NODELAY set
• Connected to 192.168.40.40 (192.168.40.40) port 5693 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.0 (IN), TLS handshake, Certificate (11):
• TLSv1.0 (IN), TLS handshake, Server finished (14):
• TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.0 (OUT), TLS change cipher, Client hello (1):
• TLSv1.0 (OUT), TLS handshake, Finished (20):
• TLSv1.0 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.0 / AES256-SHA
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: C=US; ST=Minnesota; L=St. Paul; O=Nagios Enterprises, LLC; OU=Development; CN=macbuilder1.armorica.gk
• start date: Apr 17 10:43:23 2023 GMT
• expire date: Apr 14 10:43:23 2033 GMT
• issuer: C=US; ST=Minnesota; L=St. Paul; O=Nagios Enterprises, LLC; OU=Development; CN=macbuilder1.armorica.gk
• SSL certificate verify result: self signed certificate (18), continuing anyway.

  GET /api/system/agent_version?token=mytoken HTTP/1.1 Host: 192.168.40.40:5693 User-Agent: curl/7.58.0 Accept: /

  < HTTP/1.1 500 INTERNAL SERVER ERROR HTTP/1.1 500 INTERNAL SERVER ERROR

[MrPippin66]

What TLS settings did you select on the client side in NCPA?

What are you running the check_ncpa client on?

[MrPippin66]

FYI, since this is Unix, if you run the NCPA listener in non-daemon mode, you should get more details of the TLS negotiation issue from the terminal you run it on.

[Fatboydrunk]

TLSv1.2 on the client. Nagios core running on Ubuntu

[MrPippin66]

Can you expand on that? What are these settings on the NCPA client.

ssl_ciphers ssl_version

[Fatboydrunk]

ssl_ciphers is commented out ssl_version = TLSv1_2

[MrPippin66]

You don't have any ciphers specified? Or are you saying this is just a default install of the agent with no config file customization?

In any case, I'd again recommend running the listener from the command line in non-daemon mode. You'll get all the SSL errors reported to the terminal you're running the command.

Alternatively, and I suspect you'll get the same issue, is doing an "openssl s_client --connect \<server>:5693" and you'll get the connection details.

But I suspect the openssl library on your ubuntu server may be running with a secure configuration that's preventing any compatible ciphers the agent is running on your OSX system.

[Fatboydrunk]

The problem I have found is that making changes to the ncpa.cfg don't take affect. When I change the TLS version it always stays on TLSv1.

The difference with this mac compared to the others that are working fine, is it has a M chip and not intel. And I had to install Rosetta 2 to install the agent.

Just wondering if it is compatiable with the Macs with M chips?

2023-04-19 14:09:30,536 566 INFO started ncpa_listener, version: 2.4.1 2023-04-19 14:09:30,536 566 INFO Using SSL version TLSv1 Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/gevent/greenlet.py", line 536, in run File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/gevent/baseserver.py", line 26, in _handle_and_close_when_done File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/gevent/server.py", line 174, in wrap_socket_and_handle File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/gevent/_sslgte279.py", line 695, in wrap_socket File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/gevent/_sslgte279.py", line 270, in init SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:661) Wed Apr 19 14:09:49 2023 <Greenlet at 0x1103849b0: _handle_and_close_when_done(<bound method WSGIServer.wrap_socket_and_handle of, <bound method WSGIServer.do_close of <WSGIServer a, (<socket at 0x11106f7d0 fileno=[Errno 9] Bad file )> failed with SSLError

[MrPippin66]

Are you restarting the ncpa_listener after updating the config? The above indicates you are, but just making sure.

Edit: Ugh, just saw the timestamp. Clearly, you did.

Then I SUSPECT the issue is the openssl version that was bundled in the 2.4.1 build. Someone who was involved in the build will need to comment at this point.

[MrPippin66]

And I agree, at this point, there needs to be an x86 and ARM version for the MACOS platforms.

[Fatboydrunk]

As the active checks aren't working, I have now configured passive checks, which are working fine. But I would prefer to use the active checks

[chriscareycode]

Same issue. On MacOS 13.4, the ssl_version = TLSv1_2 does not work and it defaults back to "Using SSL version TLSv1".

This also prevents the ability to load the local webui at https://localhost:5693/ With error: localhost uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I verified that it is reading the config file ncpa.cfg, by modifying the logfile path, and it did write the new file I specified. Tested using: sudo ./ncpa_listener -n -c /usr/local/ncpa/etc/ncpa.cfg (though sudo launchctl start com.nagios.ncpa.listener and sudo launchctl stop com.nagios.ncpa.listener works fine also)

I'm wondering if we can install a ssl package with brew to get this fixed?

[phreditorNG]

Hey @Fatboydrunk, @chriscareycode: Sorry for your struggles. It seems likely that you would start running into these kinds of problems on newer MacOS since they tend to enforce a minimal level of security out of the box.

Since we bundle almost all dependencies in the NCPA app so it will run almost anywhere without requiring significant changes to the server, including OpenSSL, installing OpenSSL via Brew won't help unless you do some serious hacking.

NCPA v3.0.0, currently in beta, includes OpenSSL 3+ on all supported platforms, even oldies like CentOS 7. We've just gotten MacOS (Intel-based, Catalina+) programmed and the build infrastructure set up. I'm not sure exactly when it will be available, but I will look into it, and let this forum know, shortly.

Phred

[phreditorNG]

Hey @Fatboydrunk, @chriscareycode: You can download the public beta for NCPA v3.0.0 at: Hey https://www.nagios.org/ncpa/

[Fatboydrunk]

I can confirm that NCPA v3.0.0 is working on my Mac M1 chip MacOS 13.5 with active checks. Thanks for your help @phreditorNG