Failed to establish secure connection: sslv3 alert handshake failure: 1040
Debian 10 (Buster) + latest NSClient++ on Windows 2019 server
Linux:
root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1 -c check_ad
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.24.1.1: 1
Windows:
2019-09-21 18:30:46: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol
2019-09-21 18:30:46: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.
2019-09-21 18:30:48: error:c:\source\master\include\socket/connection.hpp:276: Failed to establish secure connection: sslv3 alert handshake failure: 1040
Quick FIX:
1. Generate DH key on Linux machine (it takes a long time)
openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAsT8ZYluOSVjB67zI8HXRzAjVRsBGLktGbUm7Zfhtn5dYTMaEjSRx
+7McBGnmoJa9ty54UE/5/8rM1CFvA5VyEOakZHemTNvAofB40ZmEhgANVmbHZxtr
egvj4svxnvFM4gAfpsSe2C8DVbXXEJlUVfyacbfb4f9ko0l62XsTEQJGWGRxXca7
b66g5MY6eYxihavufmZmZPw4ZnBPEpoGpH2GKZ0obOEfACTrV01p+CbiVDJ9lpc7
KOxbXA+3nV5LRMSjlz83RuDdQ3QLcQQQ7cpWKEzAlHO/AO4BRqthmSBkTVWNeHoO
a4PNgZO2xdnLHJuK75YQJeLAOKI9xVgaCwIBAg==
-----END DH PARAMETERS-----
2. Paste your DH key to newly created file
C:\Program Files\NSClient++\security\nrpe_dh_2048.pem
3. Open command prompt in Windows (under user with admin privilegs) and run these commands:
cd "\Program Files\NSClient++"
nscp settings --path /settings/NRPE/server --key dh --set "${certificate-path}/nrpe_dh_2048.pem"
4. Restart NSClient++ service
net stop nscp && net start nscp
Test it:
root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1
I (0.5.2.35 2018-01-28) seem to be doing fine...
root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1 -c ad_status
OK - services: OK. replications: OK. advertising: OK. fsmocheck: OK. ridmanager: OK. machineaccount: OK.
Wow, it works!
I have tried about 10 workarounds and none of them works properly – this is a real life saver!!!
Thank you 🙂
13 prosince, 2019 at 9:16 amThank you!
22 prosince, 2019 at 7:49 pmCould you share „ad_status“ nsclient script, please!
Thank you so much for these troubleshooting steps! Truly a life saver! Worked 100% first shot!
16 ledna, 2020 at 7:37 pmhttps://exchange.nagios.org/directory/Plugins/Operating-Systems/Windows/Active-Directory-(AD)-Check/details
26 ledna, 2020 at 5:42 pmVery nice! What if I receive the same error between the Nagios Server and a Linux Client? I’m trying to monitor a linux client using nrpe, but I am receiving the same error CHECK_NRPE: (ssl_err != 5). I tried adding the nrpe_dh_2048.pem file to /etc/nagios/ on the linux client, and setting ssl_version=SSLv3, ssl_client_certs=2 and ssl_cert_file=/etc/nagios/nrpe_dh_2ß48.pem in nrpe.cfg. It won’t work. Any idea? Thank you!
5 prosince, 2020 at 1:19 amCurrent versions of check_nrpe are incompatible with old nrpe linux servers. I replaced check_nrpe and now I can monitor successfully again. Better a bad encryption than no encryption at all…
If you have Nagios 4 (Debian Buster) like me, you can use the following procedure:
6 prosince, 2020 at 4:49 pm# apt install binutils tar wget
# wget http://ftp.cz.debian.org/debian/pool/main/n/nagios-nrpe/nagios-nrpe-plugin_2.15-1_amd64.deb
# ar x nagios-nrpe-plugin_2.15-1_amd64.deb
# tar xvf data.tar.xz
# cp ./usr/lib/nagios/plugins/check_nrpe /usr/lib/nagios/plugins/check_nrpe.jessie
# /usr/lib/nagios/plugins/check_nrpe -H some.machine.local
CHECK_NRPE: (ssl_err != 5) Error – Could not complete SSL handshake with xxx.xxx.xxx.xxx: 1
# /usr/lib/nagios/plugins/check_nrpe.jessie -H some.machine.local
NRPE v2.12
Thank you very much! It worked perfectly.
9 prosince, 2020 at 2:07 amExcellent write-up. I am surprised this info can neither be found on NRPE nor on NSClient documentation. Thanks for sharing!
20 srpna, 2021 at 11:05 am