[icinga-users] icinga-nrpe

Michael Friedrich michael.friedrich at univie.ac.at
Thu Mar 8 14:06:36 CET 2012


Thomas Pries wrote:
> Ok, with the new version daemon output is:
>
> Mar  8 06:04:38 ntp nrpe[12938]: Using illegal meta characters
> '"|`&><'\"[]{};"'
> Mar  8 06:04:38 ntp nrpe[12938]: Added
> command[check_part_root]=/usr/local/icinga/lib/check_disk -w 20% -c 10% -p /
> Mar  8 06:04:38 ntp nrpe[12938]: IPv4 ACL: 127.0.0.1/32 16777343
> Mar  8 06:04:38 ntp nrpe[12938]: IPv4 ACL: 192.168.3.7/32 117680320
> Mar  8 06:04:38 ntp nrpe[12938]: IPv6 allowed_hosts: ::1,2001:4dd0:fb32:3::7
> Mar  8 06:04:38 ntp nrpe[12938]: INFO: SSL/TLS initialized. All network
> traffic will be encrypted.
> Mar  8 06:04:38 ntp nrpe[12939]: Starting up daemon
> Mar  8 06:04:38 ntp nrpe[12939]: Listening for connections on port 5666
> Mar  8 06:04:38 ntp icinga-nrpe[12914]: Starting Icinga NRPE ..done
>
> Mar  8 06:06:53 ntp nrpe[13100]: Connection from 127.0.0.1 port 11732
> Mar  8 06:06:53 ntp nrpe[13100]: Host address 127.0.0.1 is in allowed_hosts
> Mar  8 06:06:53 ntp nrpe[13100]: Handling the connection...
> Mar  8 06:06:55 ntp nrpe[13100]: Error: Could not complete SSL handshake. 1
> Mar  8 06:06:55 ntp nrpe[13100]: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Mar  8 06:06:55 ntp nrpe[13100]: no certificate returned
> Mar  8 06:06:55 ntp nrpe[13100]: Connection from 127.0.0.1 closed.

looks like that the certificate is not provided by the client, therefore 
failing the ssl handshake.

>
>
> and the client says:
>
> ./check_nrpe -H ntp.pries.name  -C
> /usr/local/icinga/etc/client_icinga-nrpe.crt -k
> /usr/local/icinga/etc/client_icinga-nrpe_sin.key -r
> /usr/local/icinga/etc/client_icinga-nrpe.crt -t 20 -v -c check_part_root

how about permissions on that dir

/usr/local/icinga/etc

>
> NRPE Plugin for Icinga
> Copyright (c) 1999-2008 Ethan Galstad (nagios at nagios.org)
> Copyright (c) 2010-2012 Icinga Development Team and Community
> Contributors (http://www.icinga.org)
> Version: 3.0-dev
> Last Modified: 03-04-2012
> License: GPL v2 with exemptions (-l for more info)
> SSL/TLS Available: OpenSSL 0.9.6 or higher required
>
> CHECK_NRPE: created SSL context.
> CHECK_NRPE: SSL/TLS initialized. All network traffic will be encrypted.
> CHECK_NRPE: Error - Could not complete SSL handshake.
> CHECK_NRPE: error:00000000:lib(0):func(0):reason(0)
> CHECK_NRPE: (null)
> CHECK_NRPE: Error 0 - Failed to verify server x509 certificate.
> CHECK_NRPE: error:00000000:lib(0):func(0):reason(0)
> CHECK_NRPE: (null)
> CHECK_NRPE: Common Name 'ntp.pries.name' in server certificate matches
> host name 'ntp.pries.name'.
> CHECK_NRPE: Got peer certificate.
> CHECK_NRPE: SSL connection structure created.
> CHECK_NRPE: Result not OK, bailing out ...

hm. awkward. no direct ssl error returned (0 seems to be unlucky)

what host os? openssl version? how did you generate the certs? is it 
self signed?


>
>
> My conf is:
>
> log_facility=daemon
> pid_file=/var/run/icinga-nrpe.pid
> server_port=5666
> cert_file=/usr/local/icinga/etc/icinga-nrpe.crt
> cacert_file=/usr/local/icinga/etc/icinga-nrpe.crt
> privatekey_file=/usr/local/icinga/etc/icinga-nrpe_sin.key
> nrpe_user=nagios
> nrpe_group=nagios
> allowed_hosts=127.0.0.1,192.168.3.7,::1,2001:4dd0:fb32:3::7
> dont_blame_nrpe=0
> debug=1
> command_timeout=60
> connection_timeout=300
> illegal_metachars="|`&><'\"[]{};"
> command[check_part_root]=/usr/local/icinga/lib/check_disk -w 20% -c 10% -p /
>
>
>
>
> ------------------------------------------------------------------------------
> Virtualization&  Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> icinga-users mailing list
> icinga-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/icinga-users


-- 
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email:  michael.friedrich at univie.ac.at
phone:  +43 1 4277 14359
mobile: +43 664 60277 14359
fax:    +43 1 4277 14338
web:    http://www.univie.ac.at/zid
         http://www.aco.net

Lead Icinga Core Developer
http://www.icinga.org





More information about the icinga-users mailing list