[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
>From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914489#12 > After updating nagios-nrpe-plugin in my monitoring host to > 3.2.1-1~bpo9+1 most of my monitored instances fail to be checked. That is due to changes in openssl, we have no control over that. For machines with an old openssl you need to disable SSL with -n. --- So it is an admin task to be done if nodes have old SSL versions. For now following Debian on this and marking it as Won't Fix (as it is a local config change and not a bug to be fixed in the package [unless we want to add way more logic]) ** Changed in: nagios-nrpe (Ubuntu) Status: Triaged => Won't Fix ** Changed in: nagios-nrpe (Ubuntu Bionic) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
** Changed in: nagios-nrpe (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
** Bug watch added: Debian Bug tracker #914489 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914489 ** Also affects: nagios-nrpe (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914489 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Had the same issue after upgrading from 14.04 to 16.04. Even with the planning to upgrade all our Ubuntu Servers to the lastest LTS ( 18.04) Needed to monitor disk usage from Nagios Server, since its critical file storage service. My Nagios server is running on a FreeBSD 12 Stable Server with NRPE latest version ( check_nrpe3 ) Looks like nrpe package version from 16.04 offical repositories is a lot older ( 2.x.x ) than the current Nagios supported version ( 3.x) I fixed my issue by compiling NRPE manually. The process is very well documented by Nagios Support Team: https://support.nagios.com/kb/article/nrpe-how-to-install-nrpe-8.html -> Don`t forget to check and validate your backups, in case something goes wrong.) 1 - sudo apt remove nagios-nrpe-server 2 - sudo apt autoremove 3 - sudo cd /tmp 4 - sudo wget http://assets.nagios.com/downloads/nagiosxi/agents/linux-nrpe-agent.tar.gz 5 - sudo tar xzf linux-nrpe-agent.tar.gz 6 - cd linux-nrpe-agent 7 - sudo ./fullinstall The ./fullinstall script will warn you that it should be run on a clean system. After it finishes compiling and seting up nrpe and xinetd, it will also ask you to authorize your Nagios Server IP to Query Local NRPE. After that, you can go to /usr/local/etc/nagios/nrpe.cfg, adjust your checks and restart xinetd (service xinetd restart) Wait or force your Nagios Server to re-check monitored stuff and it should work as expected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
This seems to be the same / similar issue, discussed upstream: https://support.nagios.com/forum/viewtopic.php?f=7=50342 Not sure if there's a recommended fix upstream other than upgrading (or downgrading) to keep v3 (or v2) clients and servers in sync. ** Also affects: nagios-nrpe (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: nagios-nrpe (Ubuntu Bionic) Status: New => Triaged ** Changed in: nagios-nrpe (Ubuntu Bionic) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Here's the full workaround: - Go to a machine running a version below 18.04 - apt install nagios-nrpe-plugin - Copy /usr/lib/nagios/plugins/check_nrpe over to your Nagios server - On the server: - mv /usr/lib/nagios/plugins/check_nrpe /usr/lib/nagios/plugins/check_nrpe.v3 - mv /usr/lib/nagios/plugins/check_nrpe This is quite hacky; if you try to verify nagios-nrpe-plugin on the server it will tell you that check_nrpe isn't what it should be; if you upgrade nagios-nrpe-plugin the hack will be wiped out; etc. etc. This is just enough to keep you going while you upgrade the clients to NRPE v3/Ubuntu 18.04. You don't need to restart anything, your checks will all just start to come good. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
@legovini Yes, that's exactly what I did. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Hello Stefan, So you replaced the check_nrpe binary *only*, without downgrading the whole package and (what I'm mostly interested in) without downgrading openssl? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
I would recommend a downgrade to the version shipped with Ubuntu 14.04. (check_nrpe 2.15) I replaced check_nrpe and now I can monitor successfully again. Better a bad encryption than no encryption at all... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
@jessegoodier, you will need to change your Nagios checks from check_nrpe to check_nrpe_nossl and tell the old target NRPE server to run without SSL. This can be done by setting DAEMON_OPTS="-n" in /etc/default/nagios-nrpe-server. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Does anyone have instructions for disabling TLS for nagios? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
I'll add another "me too" on this bug since I had forgotten about the NRPE incompatibility and broke a bunch of nagios checks by upgrading our production nagios system to 18.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Thanks for reporting this bug and troubleshooting it this far. It looks like a real issue and we have added it to the server team backlog. Maybe there could be an ssl option to have the bionic client accept the smaller DH key. ** Changed in: nagios-nrpe (Ubuntu) Importance: Undecided => Medium ** Changed in: nagios-nrpe (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to nagios-nrpe in Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Thanks for reporting this bug and troubleshooting it this far. It looks like a real issue and we have added it to the server team backlog. Maybe there could be an ssl option to have the bionic client accept the smaller DH key. ** Changed in: nagios-nrpe (Ubuntu) Importance: Undecided => Medium ** Changed in: nagios-nrpe (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
It seems the Bionic's OpenSSL version will always reject the small DH params proposed by the Xenial side so the only workaround I can think of for now is to disable TLS on both sides. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
It looks like the Bionic TLS client rejects the server picked DH param (512 bits) as being too small. We can see this at work in the attached pcap where 172.22.30.2 is Xenial/TLS server/NRPE server and 172.22.30.66 is the Bionic/TLS client/check_nrpe. ** Attachment added: "nrpe-dh-too-small.pcap" https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+attachment/5238901/+files/nrpe-dh-too-small.pcap -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nagios-nrpe (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
I've just been bitten by this one and it's practically a show-stopper. I've tried all the suggestions I can find without success and the idea of building nrpe server for multiple other platforms does not seem like any kind of solution. I guess I'll need to downgrade check_nrpe. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
I've done some more digging. It's definitely related to the upgrade from v2 to v3. My syslog from the nagios server reports errors such as: check_nrpe: Error: (!log_opts) Could not complete SSL handshake with xxx.xxx.xxx.xxx: dh key too small This page describes the compatibility of v3: https://support.nagios.com/kb/article/nrpe-v3-compatibility-with- previous-versions-516.html. It states: "A 2048-bit DH key is used instead of a 512-bit key" which very likely is the cause of the issue. The same pages provides a workaround: "Force the plugin to send v2 packets Using the -2 argument will force the plugin to connect with v2 packets /usr/local/nagios/libexec/check_nrpe -2 -H centos12" This workaround doesn't work on 18.04. I also tried with -P 1024 as suggested in some other places, to no avail. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Hi, I've got the same problem here. Indeed, there's a difference between 18.04 (nrpe v3) & older releases which contain nrpe v2. However the nrpe client has an option to force backward compatibility: check_nrpe -2, which should work with older server. The error stays exactly the same nevertheless. ** Changed in: nagios-nrpe (Ubuntu) Status: Expired => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
[Expired for nagios-nrpe (Ubuntu) because there has been no activity for 60 days.] ** Changed in: nagios-nrpe (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
** Tags added: bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782650] Re: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake"
Hi, I'm certainly not a nagios-nrpe expert but isn't that just (1) of [1]. to quote "Newer versions of NRPE are usually not backward compatible with older versions." I expected something like it and search engines immediately returned just such cases. So could it just be that? [1]: https://nazeems.wordpress.com/2012/04/20/correcting-ssl-handshake- error-in-nagios/ ** Changed in: nagios-nrpe (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782650 Title: nrpe plugin in bionic fails with "Error - Could not complete SSL handshake" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-nrpe/+bug/1782650/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
