Hodžův blog

«
»
21 Zář

Failed to establish secure connection: sslv3 alert handshake failure: 1040

Debian 10 (Buster) + latest NSClient++ on Windows 2019 server

Linux:
root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1 -c check_ad
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.24.1.1: 1

Windows:
2019-09-21 18:30:46: error:c:\source\master\include\socket/connection.hpp:273: Seems we other end is not using ssl: unknown protocol
2019-09-21 18:30:46: error:c:\source\master\include\socket/connection.hpp:274: Please review the ssl option as well as ssl options in settings.
2019-09-21 18:30:48: error:c:\source\master\include\socket/connection.hpp:276: Failed to establish secure connection: sslv3 alert handshake failure: 1040

Quick FIX:
1. Generate DH key on Linux machine (it takes a long time)
openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'

-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAsT8ZYluOSVjB67zI8HXRzAjVRsBGLktGbUm7Zfhtn5dYTMaEjSRx
+7McBGnmoJa9ty54UE/5/8rM1CFvA5VyEOakZHemTNvAofB40ZmEhgANVmbHZxtr
egvj4svxnvFM4gAfpsSe2C8DVbXXEJlUVfyacbfb4f9ko0l62XsTEQJGWGRxXca7
b66g5MY6eYxihavufmZmZPw4ZnBPEpoGpH2GKZ0obOEfACTrV01p+CbiVDJ9lpc7
KOxbXA+3nV5LRMSjlz83RuDdQ3QLcQQQ7cpWKEzAlHO/AO4BRqthmSBkTVWNeHoO
a4PNgZO2xdnLHJuK75YQJeLAOKI9xVgaCwIBAg==
-----END DH PARAMETERS-----

2. Paste your DH key to newly created file
C:\Program Files\NSClient++\security\nrpe_dh_2048.pem

3. Open command prompt in Windows (under user with admin privilegs) and run these commands:
cd "\Program Files\NSClient++"
nscp settings --path /settings/NRPE/server --key dh --set "${certificate-path}/nrpe_dh_2048.pem"

4. Restart NSClient++ service
net stop nscp && net start nscp

Test it:
root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1
I (0.5.2.35 2018-01-28) seem to be doing fine...

root@nagios:/# /usr/lib/nagios/plugins/check_nrpe -H 172.24.1.1 -c ad_status
OK - services: OK. replications: OK. advertising: OK. fsmocheck: OK. ridmanager: OK. machineaccount: OK.

This entry was posted on Sobota, 21 září, 2019 at 6:22 pm and is filed under Debian, Linux, Ostatní, Scriptíky, Služby, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Failed to establish secure connection: sslv3 alert handshake failure: 1040”

  1. 1
    Jakub Štajner Says:

    Wow, it works!
    I have tried about 10 workarounds and none of them works properly – this is a real life saver!!!

    Thank you 🙂

    13 prosince, 2019 at 9:16 am
  2. 2
    Aleksander Says:

    Thank you!
    Could you share „ad_status“ nsclient script, please!

    22 prosince, 2019 at 7:49 pm
  3. 3
    Richard Durivage Says:

    Thank you so much for these troubleshooting steps! Truly a life saver! Worked 100% first shot!

    16 ledna, 2020 at 7:37 pm
  4. 4
    admin Says:

    https://exchange.nagios.org/directory/Plugins/Operating-Systems/Windows/Active-Directory-(AD)-Check/details

    26 ledna, 2020 at 5:42 pm
  5. 5
    Daniel Says:

    Very nice! What if I receive the same error between the Nagios Server and a Linux Client? I’m trying to monitor a linux client using nrpe, but I am receiving the same error CHECK_NRPE: (ssl_err != 5). I tried adding the nrpe_dh_2048.pem file to /etc/nagios/ on the linux client, and setting ssl_version=SSLv3, ssl_client_certs=2 and ssl_cert_file=/etc/nagios/nrpe_dh_2ß48.pem in nrpe.cfg. It won’t work. Any idea? Thank you!

    5 prosince, 2020 at 1:19 am
  6. 6
    admin Says:

    Current versions of check_nrpe are incompatible with old nrpe linux servers. I replaced check_nrpe and now I can monitor successfully again. Better a bad encryption than no encryption at all…

    If you have Nagios 4 (Debian Buster) like me, you can use the following procedure:
    # apt install binutils tar wget
    # wget http://ftp.cz.debian.org/debian/pool/main/n/nagios-nrpe/nagios-nrpe-plugin_2.15-1_amd64.deb
    # ar x nagios-nrpe-plugin_2.15-1_amd64.deb
    # tar xvf data.tar.xz
    # cp ./usr/lib/nagios/plugins/check_nrpe /usr/lib/nagios/plugins/check_nrpe.jessie
    # /usr/lib/nagios/plugins/check_nrpe -H some.machine.local
    CHECK_NRPE: (ssl_err != 5) Error – Could not complete SSL handshake with xxx.xxx.xxx.xxx: 1
    # /usr/lib/nagios/plugins/check_nrpe.jessie -H some.machine.local
    NRPE v2.12

    6 prosince, 2020 at 4:49 pm
  7. 7
    Daniel Donath Says:

    Thank you very much! It worked perfectly.

    9 prosince, 2020 at 2:07 am
  8. 8
    Claudio Says:

    Excellent write-up. I am surprised this info can neither be found on NRPE nor on NSClient documentation. Thanks for sharing!

    20 srpna, 2021 at 11:05 am
  9. 9
    Prathamesh Says:

    The article was really helpful in helping me understand the issue. I recognize that not everyone would be able to or would like to use nrpe plugin 2.15, not to mention that it’s hard to find. The other solution presented is good and more practical than using v2.15. I had to create a PowerShell script to fix my issue. If this helps anyone visiting this page, I would appreciate them checking out my GitHub repo.

    https://github.com/Prathameshhankare/nsclientpp_dh-key-updater

    11 července, 2024 at 10:30 am

Leave a Reply

Hodžův blog is is proudly powered by Wordpress and the Magellan Theme