Problem: Nagios SSL Issues with NSClient++

Problem

You Nagios server is monitoring Windows clients through NSCLient++. With the new version (3.0.1) of check_nrpe the SSL handling has been improved. Thus, you are getting SSL handshake failures and your services are no longer monitored.

Investigation

Executing the check_nrpe command on the Nagios host directly by using verbose logging (Parameter "-s 0xffffffff). You will find entries in /var/log/syslog.

Mar 25 09:40:29 ucs check_nrpe: SSL Certificate File: /etc/univention/ssl/ucs/cert.pem
Mar 25 09:40:29 ucs check_nrpe: SSL Private Key File: /etc/univention/ssl/ucs/private.key
Mar 25 09:40:29 ucs check_nrpe: SSL CA Certificate File: /etc/univention/ssl/ucsCA/CAcert.pem
Mar 25 09:40:29 ucs check_nrpe: SSL Cipher List: ALL:!MD5:@STRENGTH:@SECLEVEL=0
Mar 25 09:40:29 ucs check_nrpe: SSL Allow ADH: 1
Mar 25 09:40:29 ucs check_nrpe: SSL Log Options: 0xffffffff
Mar 25 09:40:29 ucs check_nrpe: SSL Version: TLSv1_plus And Above
Mar 25 09:40:29 ucs check_nrpe: Connected to 10.142.223.111
Mar 25 09:40:29 ucs check_nrpe: Error: (ERR_get_error_line_data = 337260938), Could not complete SSL handshake with 10.250.200.111: dh key too small

So Nagios does not accept the provided Diffie-Hellman (DH) Key for key exchange as beeing to small.

Solution

Create larger keys for NSClient++.

Step 1

On UCS master, do:

openssl dhparam -C 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...+...........+...+..+.+.+.......+...............++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
[...]
-----BEGIN DH PARAMETERS-----
MCYCIQCko+U9lE0ecfFYiJnoBUhbSmyXWqcC+wZoczVdU5XCWwIBAg==
-----END DH PARAMETERS-----

Step 2

Copy&Paste the output from the above command starting with -----BEGIN DH PARAMETERS----- until -----END DH PARAMETERS----- to a file on your Windows PC and name it accordingly (ie c:\Program Files\Nsclient++\security\nrpe_dh_2048.pem).

Step 3

Edit nsclient.ini to match the created file:

; DH KEY -
dh = ${certificate-path}/nrpe_dh_2048.pem

From now on NSClient uses 2048bit long DH key and Nagios server accept messages.

Mastodon