CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected)

jonathaneks · January 4, 2021, 12:16pm

Hello,

I’m currently struggling with check_nrpe querying a Windows server running NSClient++. Testing from the Icinga2 server I am able to connect to the remote server (192.168.56.223) so there’s no firewall or allowed hosts issue:

jonathan@icinga2:/usr/lib/nagios/plugins$ telnet 192.168.56.223 5666
Trying 192.168.56.223...
Connected to 192.168.56.223.
Escape character is '^]'.

When attempting to query NRPE itself I’ve noted TLS/SSL is not configured at the remote host (to be fixed later) so I’ve used the -n argument. A basic check yields:

CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

which was generated via

jonathan@icinga2:/usr/lib/nagios/plugins$ ./check_nrpe -n -H 192.168.56.223
CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).

I’ve tried with the -2 argument which gives the same error. Additional nsclient.ini settings of relevance:

[/modules]
NRPEServer = 1

[/settings/NRPE/server]
allow arguments = true
insecure = false
timeout = 70

Searching for that error gives a lot of results that seem to be based around SSL/TLS, which is not in scope here, or around the need to downgrade check_nrpe. Before I go down that path I wanted to check I’d not missed anything obvious, so any advice would be appreciated. I’m also reading that it may be necessary to switch to Icinga Agent instead.

Thanks in advance .

Software versions

check_npre: 3.2.1
- SSL/TLS Available: OpenSSL 0.9.6 or higher required
Icinga2 OS: Ubuntu 18.04.5 LTS
Remote OS: Windows Server 2016
NSClient++: 0.5.2.35 2018-01-28

ritzgu · January 4, 2021, 4:07pm

Hi @jonathaneks,

please have a look at NSClient NRPE Settings.

use ssl

defaults to true here so maybe

use ssl=false

in the nrpe part of your nsclient.ini may work for you (although i would recommend using encrypted connections ).

Kind regards,
ritzgu

jonathaneks · January 4, 2021, 4:29pm

Interesting, thanks for that @ritzgu. Setting use ssl = false does allow the connection:

jonathan@icinga2:/usr/lib/nagios/plugins$ ./check_nrpe -n -H 192.168.56.223
I (0.5.2.35 2018-01-28) seem to be doing fine...

However, as you say, that’s not a desired configuration. Having re-enabled the SSL usage I’m now back to an issue with the SSL handshake:

jonathan@icinga2:/usr/lib/nagios/plugins$ ./check_nrpe -H 192.168.56.223
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 192.168.56.223: 1

Further reading on the page you linked (thanks, I’d not found that in my travels) showed there was a certificate that could be specified, along with the private key. I’ll look into that next, including how to get check_nrpe how to trust certificiates from our internal CA / PKI. Do you know of any guidance on that? We check our hosts via IP, rather than DNS, and creating a certificate for every server’s IP would be a very lengthy process given the number of servers involved. If we can direct check_nrpe to trust a specific certificate that may be a better option.

Many thanks for your help so far!

Jonathan

ritzgu · January 5, 2021, 9:00am

I’m not using NRPE anymore, but you can add the parameter ‘-g’ to create a log file for the check_nrpe command like
./check_nrpe -H <HOST> -g /tmp/nrpe.log
for further investigation. On my test installation, this results in the error dh key too small which has been discussed here.