The new openssl package on the latest versions of Centos / RHEL/ Ubuntu / Debian cause compatibility issues that cause the check_nrpe plugin to fail when checking Windows Hosts running NSClient++. with this tutorial, I’ll show you How to solve the problem “CHECK_NRPE: (ssl_err != 5) Error Nagios
The problem
When using check_nrpe version 4.0.3 (or later) you are required to have a 2048 bit Diffie-Hellman key on the target host. NSClient++ (as of the current version 0.5.2.35) only provides a 512 bit key.
Solution
To solve this you will have to generate a new key and use it instead of the pre-generated key.
Generate the new key
On your Nagios Monitor server, run the following command to generate the key:
openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
This may take several minutes. When it is done, it will produce a key looking similar to this one:
-----BEGIN DH PARAMETERS----- MIIBCAKCAQEAterjJyYKhGXhkCasdasdas/ruEhvBetjNfjSQpVmqQCpRql2O/JVW2 oL1Dqxvb9Fdqrm2lbQmngHLHBN+P1asdasdasdasdxcTeusTrGRCzMxZ2NDPG2ka7k FN4wXp/ChasdasdasdasdasLJsOLrMdZn8GOBFJSASQlCrg0lxFTHe8pQSobspiYyW Miv4HyJT+7eIlza/203RJa8C6GBXWmsoR4XhD0Z4/hwp/3nXMMFvvRI6am2YEjwv dTo2dukuKBVuqM2exsbgIVa52Bt1nAp7t/04DBYkB17ivFheXdfgdfgdfgdfgdfgRy LzSG2TLEcOKpSWlNhQdfdfgdfgdfgQawIBAg== -----END DH PARAMETERS-----
Install the new key on your host
You need to copy the text displayed when generating the key and paste it to a new file on your host. This file should be named C:\Program Files\NSClient++\security\nrpe_dh_2048.pem. Adjust the path if your NSClient++ installation is located somewhere else on the disk.
Enable the new key
Open the command line on your host and run the following command from the directory of your NSClient++ installation:
.\nscp.exe settings --path /settings/NRPE/server --key dh --set "C:\Program Files\NSClient++\security\nrpe_dh_2048.pem"
Restart NSClient++
Stop and start the client:
net stop nscp net start nscp
Test the new key
Run the following on your Nagios Monitor server to verify that it is now working:
/usr/lib/nagios/plugins/check_nrpe -H <IP>
(Replace
Additional steps
If you get the error “CHECK_NRPE: Invalid packet version received from server.”, then you will need to add the option -2 to your check_command.
/usr/local/nagios/libexec/check_nrpe -H xxx.xxx.xxx.xxx -2
result:
/usr/lib/nagios/plugins/check_nrpe -H xxx.xxx.xxx.xxx -2 I (0.4.4.19 2015-12-08) seem to be doing fine...