search

mickem / nscp

NSClient++
http://nsclient.org
GNU General Public License v2.0
244 stars 94 forks source link

CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with x.x.x.x: 1 #809

Open Lasejix opened 1 year ago

Lasejix commented 1 year ago

This week end there was an update of centreon (from 22.04 to 23.04.8-1)

Since thoses updates one of my nrpe supervision doesn't work anymore to my windows server 2012 (There also was security updates on this windows 2012 server this week) but work well to another windows server (2016).

Here is the command : 

 /usr/lib64/nagios/plugins/check_centreon_nrpe3 -H x.x.x.x -p 5666 -t 30 -A /etc/ssl/certs/centreon-nrpe/nrpe_ca_cert.pem -C /etc/ssl/certs/centreon-nrpe/nrpe_client_cert.pem -K /etc/ssl/certs/centreon-nrpe/nrpe_client.key -u -2 -c check_files -a "paths=c://test/" "pattern=*.txt" "warning=0" "critical=count>0" top-syntax='${status}: ${count} fichier(s) de plus de 5min trouvé(s) (${problem_list})' detail-syntax='${name}' filter="written < -600s" empty-state=ok empty-syntax='${status}: ${problem_count} file(s) found'

Expected Behavior

OK: 0 file(s) found

Actual Behavior

CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with x.x.x.x: 1

Details

Additional Details

NSClient.ini : [/settings/log] level = info date format = %Y-%m-%d %H:%M:%S file name = ${exe-path}/nsclient.log

[/settings/log/file] max file = 2048000

[/modules] NRPEServer = 1 WEBServer = 0 CheckDisk = 1 CheckEventLog = 1 CheckExternalScripts = 1 CheckHelpers = 1 CheckNSCP = 1 CheckSystem = 1 CheckTaskSched = 1 CheckNet = 1

[/settings/NRPE/server] allowed hosts = poller-1.x.net,poller-2.x.net,poller-1.dev.x.net port = 5666 verify mode = peer-cert allow arguments = true allow nasty characters = true insecure = false ssl options = no-sslv2,no-sslv3 dh = none certificate = C:\Program Files\Centreon NSClient++\security\nrpe_client_cert.pem ca = C:\Program Files\Centreon NSClient++\security\nrpe_ca_cert.pem certificate key = C:\Program Files\Centreon NSClient++\security\nrpe_client.key allowed ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH [/settings/external scripts] allow arguments = 1 allow nasty characters = 1

[/settings/external scripts/scripts/default] ignore perfdata = true [/settings/external scripts/scripts] ;check_custom=\

NSClient++ log:

2023-09-26 11:05:02: error:c:\source\0.5.2\modules\NRPEServer\NRPEServer.cpp:121: DH key not found: none
2023-09-26 11:05:03: error:c:\source\0.5.2\include\socket/server.hpp:217: Failed to bind 0.0.0.0:5666(ipv4): An attempt was made to access a socket in a way forbidden by its access permissions
2023-09-26 11:05:03: error:c:\source\0.5.2\include\socket/server.hpp:165: Failed to setup endpoint

I check on the Windows server 2012, the firewall is still the same, no new rules. Port 5666 is still open and listenning.

PS C:\Users\XXX> netstat -aon | findstr ":5666" | findstr "LISTENING" TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 796 TCP 0.0.0.0:5666 0.0.0.0:0 LISTENING 9052 TCP [::]:5666 [::]:0 LISTENING 796

Do you have a solution? or even a idea?

Prathameshhankare commented 4 months ago

I faced a similar problem, this is due to the DH key size mismatch. I had to change the DH key from 512 bit to 2048 bit DH key and make changes to the config file to use the new 2048-bit instead of the default 512-bit key. Since I had 1000+ servers on which I had to make these changes, I created a PowerShell script which you can use to solve yours.

https://github.com/Prathameshhankare/nsclientpp_dh-key-updater