Hodžův blog

21 Zář

Failed to establish secure connection: sslv3 alert handshake failure: 1040

Debian 10 (Buster) + latest NSClient++ on Windows 2019 server

Linux:
root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1 -c check_ad
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.24.1.1: 1

Windows:
2019-09-21 18:30:46: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol
2019-09-21 18:30:46: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.
2019-09-21 18:30:48: error:c:\source\master\include\socket/connection.hpp:276: Failed to establish secure connection: sslv3 alert handshake failure: 1040

Quick FIX:
1. Generate DH key on Linux machine (it takes a long time)
openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'

-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAsT8ZYluOSVjB67zI8HXRzAjVRsBGLktGbUm7Zfhtn5dYTMaEjSRx
+7McBGnmoJa9ty54UE/5/8rM1CFvA5VyEOakZHemTNvAofB40ZmEhgANVmbHZxtr
egvj4svxnvFM4gAfpsSe2C8DVbXXEJlUVfyacbfb4f9ko0l62XsTEQJGWGRxXca7
b66g5MY6eYxihavufmZmZPw4ZnBPEpoGpH2GKZ0obOEfACTrV01p+CbiVDJ9lpc7
KOxbXA+3nV5LRMSjlz83RuDdQ3QLcQQQ7cpWKEzAlHO/AO4BRqthmSBkTVWNeHoO
a4PNgZO2xdnLHJuK75YQJeLAOKI9xVgaCwIBAg==
-----END DH PARAMETERS-----

2. Paste your DH key to newly created file
C:\Program Files\NSClient++\security\nrpe_dh_2048.pem

3. Open command prompt in Windows (under user with admin privilegs) and run these commands:
cd "\Program Files\NSClient++"
nscp settings --path /settings/NRPE/server --key dh --set "${certificate-path}/nrpe_dh_2048.pem"

4. Restart NSClient++ service
net stop nscp && net start nscp

Test it:
root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1
I (0.5.2.35 2018-01-28) seem to be doing fine...

root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1 -c ad_status
OK - services: OK. replications: OK. advertising: OK. fsmocheck: OK. ridmanager: OK. machineaccount: OK.

8 Responses to “Failed to establish secure connection: sslv3 alert handshake failure: 1040”

  1. 1
    Jakub Štajner Says:

    Wow, it works!
    I have tried about 10 workarounds and none of them works properly – this is a real life saver!!!

    Thank you 🙂

  2. 2
    Aleksander Says:

    Thank you!
    Could you share „ad_status“ nsclient script, please!

  3. 3
    Richard Durivage Says:

    Thank you so much for these troubleshooting steps! Truly a life saver! Worked 100% first shot!

  4. 4
    admin Says:

    https://exchange.nagios.org/directory/Plugins/Operating-Systems/Windows/Active-Directory-(AD)-Check/details

  5. 5
    Daniel Says:

    Very nice! What if I receive the same error between the Nagios Server and a Linux Client? I’m trying to monitor a linux client using nrpe, but I am receiving the same error CHECK_NRPE: (ssl_err != 5). I tried adding the nrpe_dh_2048.pem file to /etc/nagios/ on the linux client, and setting ssl_version=SSLv3, ssl_client_certs=2 and ssl_cert_file=/etc/nagios/nrpe_dh_2ß48.pem in nrpe.cfg. It won’t work. Any idea? Thank you!

  6. 6
    admin Says:

    Current versions of check_nrpe are incompatible with old nrpe linux servers. I replaced check_nrpe and now I can monitor successfully again. Better a bad encryption than no encryption at all…

    If you have Nagios 4 (Debian Buster) like me, you can use the following procedure:
    # apt install binutils tar wget
    # wget http://ftp.cz.debian.org/debian/pool/main/n/nagios-nrpe/nagios-nrpe-plugin_2.15-1_amd64.deb
    # ar x nagios-nrpe-plugin_2.15-1_amd64.deb
    # tar xvf data.tar.xz
    # cp ./usr/lib/nagios/plugins/check_nrpe /usr/lib/nagios/plugins/check_nrpe.jessie
    # /usr/lib/nagios/plugins/check_nrpe -H some.machine.local
    CHECK_NRPE: (ssl_err != 5) Error – Could not complete SSL handshake with xxx.xxx.xxx.xxx: 1
    # /usr/lib/nagios/plugins/check_nrpe.jessie -H some.machine.local
    NRPE v2.12

  7. 7
    Daniel Donath Says:

    Thank you very much! It worked perfectly.

  8. 8
    Claudio Says:

    Excellent write-up. I am surprised this info can neither be found on NRPE nor on NSClient documentation. Thanks for sharing!

Leave a Reply

Hodžův blog is is proudly powered by Wordpress and the Magellan Theme