NRPE on client doesn't recognize SSL

Shoaibi iknewitalready at gmail.com
Sun Aug 10 15:14:12 CEST 2008
Previous message: AIX monitor
Next message: Nagios freshness checks randomly think check results are from 1973.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
There are two machines:
Machine 1: Monitor Server with nagios and NRPE plugin. Prompt is ">". FreeBSD 6
Machine 2: Previously was monitored using nagios, but now i want it to
be monitored remotely using NRPE. Still have nagios installed. Prompt
is "sysadmin#". FreeBSD 7

Both machines have 2.12 versions of nagios and NRPE.

==================
Installting NRPE
==================

sysadmin# ls
.cshrc			.k5login		.login			.mysql_history		.ssh			nrpe-2.12.tar.gz
.history		.lesshst		.mc			.profile		mbox			templates

sysadmin# tar -xzvf nrpe-2.12.tar.gz
x nrpe-2.12/
x nrpe-2.12/contrib/
x nrpe-2.12/contrib/README.nrpe_check_control
x nrpe-2.12/contrib/nrpe_check_control.c
x nrpe-2.12/.cvsignore
x nrpe-2.12/Changelog
x nrpe-2.12/LEGAL
x nrpe-2.12/Makefile.in
x nrpe-2.12/README
x nrpe-2.12/README.SSL
x nrpe-2.12/SECURITY
x nrpe-2.12/config.guess
x nrpe-2.12/config.sub
x nrpe-2.12/configure
x nrpe-2.12/configure.in
x nrpe-2.12/init-script.debian.in
x nrpe-2.12/init-script.in
x nrpe-2.12/init-script.suse.in
x nrpe-2.12/install-sh
x nrpe-2.12/nrpe.spec
x nrpe-2.12/subst.in
x nrpe-2.12/update-version
x nrpe-2.12/docs/
x nrpe-2.12/docs/NRPE.odt
x nrpe-2.12/docs/NRPE.pdf
x nrpe-2.12/include/
x nrpe-2.12/include/common.h
x nrpe-2.12/include/config.h.in
x nrpe-2.12/include/dh.h
x nrpe-2.12/include/nrpe.h
x nrpe-2.12/include/utils.h
x nrpe-2.12/sample-config/
x nrpe-2.12/sample-config/nrpe.cfg.in
x nrpe-2.12/sample-config/nrpe.xinetd.in
x nrpe-2.12/src/
x nrpe-2.12/src/.cvsignore
x nrpe-2.12/src/Makefile.in
x nrpe-2.12/src/check_nrpe.c
x nrpe-2.12/src/nrpe.c
x nrpe-2.12/src/snprintf.c
x nrpe-2.12/src/utils.c

sysadmin# cd nrpe-2.12

sysadmin# ls
.cvsignore		README			config.sub		docs			init-script.suse.in	src
Changelog		README.SSL		configure		include			install-sh		subst.in
LEGAL			SECURITY		configure.in		init-script.debian.in	nrpe.spec		update-version
Makefile.in		config.guess		contrib			init-script.in		sample-config

sysadmin# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking build system type... i386-unknown-freebsd7.0
checking host system type... i386-unknown-freebsd7.0
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking whether make sets $(MAKE)... yes
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking whether time.h and sys/time.h may both be included... yes
checking for sys/wait.h that is POSIX.1 compatible... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking ctype.h usability... yes
checking ctype.h presence... yes
checking for ctype.h... yes
checking dirent.h usability... yes
checking dirent.h presence... yes
checking for dirent.h... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking grp.h usability... yes
checking grp.h presence... yes
checking for grp.h... yes
checking for inttypes.h... (cached) yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking pwd.h usability... yes
checking pwd.h presence... yes
checking for pwd.h... yes
checking signal.h usability... yes
checking signal.h presence... yes
checking for signal.h... yes
checking for stdint.h... (cached) yes
checking for strings.h... (cached) yes
checking for string.h... (cached) yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking tcpd.h usability... yes
checking tcpd.h presence... yes
checking for tcpd.h... yes
checking for unistd.h... (cached) yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking socket.h usability... no
checking socket.h presence... no
checking for socket.h... no
checking for sys/types.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking sys/resource.h usability... yes
checking sys/resource.h presence... yes
checking for sys/resource.h... yes
checking for sys/wait.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking for sys/stat.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking for mode_t... yes
checking for pid_t... yes
checking for size_t... yes
checking return type of signal handlers... void
checking for uid_t in sys/types.h... yes
checking type of array argument to getgroups... gid_t
checking for int... yes
checking size of int... 4
checking for short... yes
checking size of short... 2
checking for long... yes
checking size of long... 4
checking for uint32_t... yes
checking for u_int32_t... yes
checking for int32_t... yes
checking for va_copy... yes
checking for vsnprintf... yes
checking for snprintf... yes
checking for asprintf... yes
checking for vasprintf... yes
checking for C99 vsnprintf... yes
checking for getopt_long... yes
checking for main in -lnsl... no
checking for socket in -lsocket... no
checking for main in -lwrap... yes
checking for strdup... yes
checking for strstr... yes
checking for strtoul... yes
checking for initgroups... yes
checking for closesocket... no
checking for socklen_t... yes
checking for type of socket size... size_t
checking for SSL headers... SSL headers found in /usr
checking for SSL libraries... SSL libraries found in /usr/lib

*** Generating DH Parameters for SSL/TLS ***
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
..................................+.....+..............................................+.............+.............................................+......+.......+...+..................................+..+.......................+...........................................................+..............................+.......+......+.......+......+...+.....+.................................+.................+.....+..+.........................................+...............................................+....+........................+...+........................+.........+..................+..........................+..+........................+.....+...................................+....................................+.......................................++*++*++*++*++*++*
checking for Kerberos include files... could not find include files
checking for perl... /usr/bin/perl
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating subst
config.status: creating include/config.h


*** Configuration summary for nrpe 2.12 03-10-2008 ***:

 General Options:
 -------------------------
 NRPE port:    5666
 NRPE user:    nagios
 NRPE group:   nagios
 Nagios user:  nagios
 Nagios group: nagios


Review the options above for accuracy.  If they look okay,
type 'make all' to compile the NRPE daemon and client.

sysadmin# make all
cd ./src/; make ; cd ..
gcc -g -O2 -I/usr/include/openssl -I/usr/include -DHAVE_CONFIG_H -o
nrpe nrpe.c utils.c -L/usr/lib  -lssl -lcrypto  -lwrap
gcc -g -O2 -I/usr/include/openssl -I/usr/include -DHAVE_CONFIG_H -o
check_nrpe check_nrpe.c utils.c -L/usr/lib  -lssl -lcrypto

*** Compile finished ***

If the NRPE daemon and client compiled without any errors, you
can continue with the installation or upgrade process.

Read the PDF documentation (NRPE.pdf) for information on the next
steps you should take to complete the installation or upgrade.

sysadmin# make install-plugin
cd ./src/ && make install-plugin
/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/libexec
/usr/bin/install -c -m 775 -o nagios -g nagios check_nrpe
/usr/local/nagios/libexec


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Problems:
>> Even though we have libssl and libcrypto installed on client, the nrpe plugin doesnt associate itself to them....
>> On Server end check_nrpe is associated with ssl and crypto though...
>> Even tried using check_nrpe -n on the Monitoring server, gives status of "Unknown"
with Recieved 0 bytes from NRPE or something similar statement.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

sysadmin# ldd `which nrpe`
/usr/local/sbin/nrpe:
	libc.so.7 => /lib/libc.so.7 (0x28081000)

sysadmin# ldd /usr/local/libexec/nagios/check_nrpe
/usr/local/libexec/nagios/check_nrpe:
	libc.so.7 => /lib/libc.so.7 (0x2807f000)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NRPE Config file on Client
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

sysadmin# cat /usr/local/etc/nrpe.cfg


#############################################################################
# Sample NRPE Config File
# Written by: Ethan Galstad (nagios at nagios.org)
#
# Last Modified: 12-30-2002
#
# NOTES:
# This is a sample configuration file for the NRPE daemon.  It needs to be
# located on the remote host that is running the NRPE daemon, not the host
# from which the check_nrpe client is being executed.
#############################################################################



# PORT NUMBER
# Port number we should wait for connections on.
# NOTE: This must be a non-priviledged port (i.e. > 1024).
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

server_port=5666



# SERVER ADDRESS
# Address that nrpe should bind to in case there are more than one interface
# and you do not want nrpe to bind on all interfaces.
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#server_address=192.168.1.1



# ALLOWED HOST ADDRESSES
# This is a comma-delimited list of IP address of hosts that are allowed
# to talk to the NRPE daemon.
#
# NOTE: The daemon only does rudimentary checking of the client's IP
#       address.  I would highly recommend adding entries in your
#	/etc/hosts.allow file to allow only the specified host to connect
#	to the port you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#allowed_hosts=127.0.0.1,192.168.40.1



# NRPE USER
# This determines the effective user that the NRPE daemon should run as.
# You can either supply a username or a UID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_user=nagios



# NRPE GROUP
# This determines the effective group that the NRPE daemon should run as.
# You can either supply a group name or a GID.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

nrpe_group=nagios



# DEBUGGING OPTION
# This option determines whether or not debugging messages are logged to the
# syslog facility.
# Values: 0=debugging off, 1=debugging on

debug=0



# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
# allow plugins to finish executing before killing them off.

command_timeout=60



# COMMAND DEFINITIONS
# Command definitions that this daemon will run.  Definitions
# are in the following format:
#
# command[<command_name>]=<command_line>
#
# When the daemon receives a request to return the results of <command_name>
# it will execute the command specified by the <command_line> argument.
#
# Unlike Nagios, the command line cannot contain macros - it must be
# typed exactly as it should be executed.
#
# Note: Any plugins that are used in the command lines must reside
# on the machine that this daemon is running on!  The examples below
# assume that you have plugins installed in a /usr/local/nagios/libexec
# directory.  Also note that you will have to modify the definitions below
# to match the argument format the plugins expect.  Remember, these are
# examples only!

command[check_users]=/usr/local/libexec/nagios/check_users -w 5 -c 10
command[check_load]=/usr/local/libexec/nagios/check_load -w 15,10,5 -c 30,25,20
command[check_disk1]=/usr/local/libexec/nagios/check_disk -w 20 -c 10
-p /dev/ad4s1a
command[check_disk2]=/usr/local/libexec/nagios/check_disk -w 20 -c 10
-p /dev/ad4s1e
command[check_zombie_procs]=/usr/local/libexec/nagios/check_procs -w 5
-c 10 -s Z
command[check_total_procs]=/usr/local/libexec/nagios/check_procs -w 150 -c 200
command[check_swap]=/usr/local/libexec/nagios/check_swap -w 20% -c 10%

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
NRPE on Client is running as a daemon
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------


sysadmin# ps aux | grep nrp
nagios  49423  0.0  0.1  3104  1200  ??  Is   Tue10AM   0:00.30
/usr/local/sbin/nrpe -c /usr/local/etc/nrpe.cfg --daemon
root     6421  0.0  0.1  1632  1068  p3  R+   10:45AM   0:00.00 grep nrp


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
On the Monitor Server
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

>./check_nrpe -n -H 192.168.40.40 -p 5666 -c check_swap -t 20
CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server
logs for error messages.
> ./check_nrpe -n -H 192.168.40.40 -p 5666 -c check_ping
CHECK_NRPE: Socket timeout after 10 seconds.
> ./check_nrpe -n -H 192.168.40.40 -p 5666 -c check_swap -t 20
CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server
logs for error messages.
> ./check_nrpe -n -H 192.168.40.40
CHECK_NRPE: Socket timeout after 10 seconds.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Verifying that NRPE is running on Client/
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

sysadmin# ps aux | grep nrp
nagios  49423  0.0  0.1  3104  1200  ??  Is   Tue10AM   0:00.30
/usr/local/sbin/nrpe -c /usr/local/etc/nrpe.cfg --daemon
root     6421  0.0  0.1  1632  1068  p3  R+   10:45AM   0:00.00 grep nrp

sysadmin# sudo kill 49423

sysadmin# nohup /usr/local/sbin/nrpe -c /usr/local/etc/nrpe.cfg --daemon &
[1] 8166

sysadmin# ps aux | grep nrp
nagios   8167  0.0  0.1  3104  1184  ??  Ss   10:48AM   0:00.00
/usr/local/sbin/nrpe -c /usr/local/etc/nrpe.cfg --daemon
root     8169  0.0  0.1  1632  1068  p3  R+   10:48AM   0:00.00 grep nrp
[1]  + Done                          /usr/local/sbin/nrpe -c
/usr/local/etc/nrpe.cfg --daemon

sysadmin# ps aux | grep nrp
nagios   8167  0.0  0.1  3104  1204  ??  Ss   10:48AM   0:00.00
/usr/local/sbin/nrpe -c /usr/local/etc/nrpe.cfg --daemon
root     8182  0.0  0.1  1632  1068  p3  R+   10:49AM   0:00.00 grep nrp

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Checking again from the Monitor Server...
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

> ./check_nrpe -n -H 192.168.40.40
CHECK_NRPE: Socket timeout after 10 seconds.
> ./check_nrpe -n -H 192.168.40.40 -p 5666 -c check_swap -t 20
CHECK_NRPE: Error receiving data from daemon.
> ./check_nrpe -n -H 192.168.40.40 -p 5666 -c check_swap -t 20
CHECK_NRPE: Error receiving data from daemon.




-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Conclusion:
=========
>>> Same versions of nagios and nrpe.
>>> nrpe daemon is running...
>>> Problem # 1 Even though SSL and crypto is installed, the nrpe installation client doesn't associate itself with them, though generated the certificates...
>>> Problem # 2  Even with the "-n" option, i am still not successful in getting the NRPE working....
>>> I have tried Installing NRPE client on a debian machine with ssl and crypto libs pre-installed aswell. Same scenario.

So any suggestions? comments? Or should i paste more details?

The information about the versions of nagios and nrpe was gathered
using one of the following:
1. pkg_ingo
2. dpkg -l
3. tar file name
4. --version option

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: AIX monitor
Next message: Nagios freshness checks randomly think check results are from 1973.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list