After upgrade "CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with XXX.XXX.XXX.X: 1" for some Windows hosts

bigtrodat · July 17, 2020, 4:04pm

I’ve upgraded my Icinga machine some minutes ago from Debian Stretch to Buster (incl. Icinga2 upgrade to latest version). Since then some checks for Windows machines via check_nrpe fail with “CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with XXX.XXX.XXX.X: 1”

Log shows:
2020 Jul 17 17:55:06 icinga Client TLS handshake failed (to [XXX.XXX.XXX.XXX]:5665): sslv3 alert handshake failure

Corresponding call was:
'/usr/lib/nagios/plugins/check_nrpe' '-2' '-H' 'HOSTNAME.DOMAIN.TLD' '-c' 'CheckFileAge' '-a' '/path:"C:\\FOLDER\\SUBFOLDER" /namefilter:"FILENAME.log" /searchdepth:1 /age:10n /warning:1: /critical:1:'

There are only some Windows machines affected. Those who are affected have an older version of Windows running. Those Windows Server with more recent Windows Versions aren’t affected.

I already updated Icinga agent to latest version as well as NSClient++.
I also double checked, that nsclient.ini still has Icinga Server IP in “allowed hosts” and insecure is allowed.

Any ideas how to fix that?

Best
Daniel

dpkg -l | grep icinga
ii  icinga-l10n                          1.0.0-1.stretch              all          l10n (short for Localization) provides all translations available for Icinga.
ii  icinga2                              2.11.4-1.buster              amd64        host and network monitoring system
ii  icinga2-bin                          2.11.4-1.buster              amd64        host and network monitoring system - daemon
ii  icinga2-common                       2.11.4-1.buster              all          host and network monitoring system - common files
ii  icinga2-ido-mysql                    2.11.4-1.buster              amd64        host and network monitoring system - MySQL support
ii  icingacli                            2.8.1-1.stretch              all          simple CLI tool for Icingaweb2 and its modules
ii  icingaweb2                           2.8.1-1.stretch              all          simple and responsive web interface for Icinga
ii  icingaweb2-common                    2.8.1-1.stretch              all          simple and responsive web interface for Icinga - common files
ii  icingaweb2-module-doc                2.8.1-1.stretch              all          simple and responsive web interface for Icinga - documentation module
ii  icingaweb2-module-monitoring         2.8.1-1.stretch              all          simple and responsive web interface for Icinga - monitoring module
ii  php-icinga                           2.8.1-1.stretch              all          PHP library to communicate with and use Icinga

nexo1960 · July 18, 2020, 7:31am

You either need to downgrade nrpe on your server or enhance the security of your clients:
https://support.nagios.com/forum/viewtopic.php?f=7&t=55582

bigtrodat · July 20, 2020, 10:31am

Since OS Upgrade on client in order to enhance the security of my client was not an option (legacy software is running on these machines), I’ve installed an older version (v.3.0.1) of /usr/lib/nagios/plugins/check_nrpe beside the actual version (v.3.2.1). Of course I had to adjust some checks so that they use the legacy check_nrpe version.

@nexo1960: Thanks for the hint!

saxers · November 27, 2020, 11:13am

thanks for sharing. had same issue too