Description of problem: after update to the new crypto-policies nagios couldn't connect to the nrpe client.Error - Could not complete SSL handshake wich result in massive alerts from nagios. Version-Release number of selected component (if applicable): nrpe-3.2.1-3.2.mga7 nagios-check_nrpe-3.2.1-3.2.mga7 How reproducible: after install crypto-policies Steps to Reproduce: 1. install crypto-policies 2. restart 3. and see the errors on nagios frontend or with journalctl -af the only chance to get the old nrpe running is to make the crypto-policies unsecure. I described that here: https://bugs.mageia.org/show_bug.cgi?id=27343#c11 and of course it is clesr why this doesnt work anymore. NRPE v3.2.1 is to old (from 2017) and can't work with @SECLEVEL=1 wich is the default on the new crypto-policies. You have to set the @SECLEVEL=0 You can read this in /etc/nagios/nrpe.cfg --------------------------------------------------------------- # SSL CIPHER LIST # This lists which ciphers can be used. For backward compatibility, this # defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0, # and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and # greater. #ssl_cipher_list=ALL:!MD5:@STRENGTH #ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0 #ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH -------------------------------------------------------------------- to test this make crypto-policies more unsecure described above install nrpe and check_nrpe with urpmi nrpe nagios-check_nrpe start nrpe daemon with systemctl start nrpe ask the Version of nrpe with check_nrpe and the SECLEVEL=1 /usr/lib64/nagios/plugins/check_nrpe -S TLSv1.2 -L "ALL:@STRENGTH:@SECLEVEL=1" -H 127.0.0.1 you got CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 127.0.0.1: 1 ask the Version of nrpe with check_nrpe and the SECLEVEL=0 /usr/lib64/nagios/plugins/check_nrpe -S TLSv1.2 -L "ALL:@STRENGTH:@SECLEVEL=0" -H 127.0.0.1 you got NRPE v3.2.1
Version: Cauldron => 7
Try this: 1. Install rpm-helper and change KEY_LENGTH to 4096 in /etc/sysconfig/ssl. 2. Run '/usr/share/rpm-helper/create-ssl-certificate nrpe 1 nagios -g nagios' as root. 3. Change nrpe to use created certs in /etc/nagios/nrpe.cfg: ssl_cert_file=/etc/pki/tls/certs/nagios.pem ssl_privatekey_file=/etc/pki/tls/private/nagios.pem 4. Restart nrpe
(In reply to Jani Välimaa from comment #1) > Try this: > > 1. Install rpm-helper and change KEY_LENGTH to 4096 in /etc/sysconfig/ssl. > > 2. Run '/usr/share/rpm-helper/create-ssl-certificate nrpe 1 nagios -g > nagios' as root. > > 3. Change nrpe to use created certs in /etc/nagios/nrpe.cfg: > ssl_cert_file=/etc/pki/tls/certs/nagios.pem > ssl_privatekey_file=/etc/pki/tls/private/nagios.pem > > 4. Restart nrpe Thank you, this works on my test environment. But a question for my understanding, why i have to expand the key lenght ? if you look at /etc/crypto-policies/state/CURRENT.po the lenght of 2048 is enough.
See Bug #27359
CC: (none) => thierry.vignaud
Depends on: (none) => 27359CC: (none) => ouaurelien
Hi, thanks for reporting this bug. Assigned to the package maintainer. No update required. 27259 blocks this. Will close this after 27259 will be fixed.
Keywords: (none) => TriagedStatus comment: (none) => No update required. 27259 blocks this.Assignee: bugsquad => luis.daniel.lucioSeverity: major => normal
(In reply to Dieter Schütze from comment #2) > (In reply to Jani Välimaa from comment #1) > > Try this: > > > > 1. Install rpm-helper and change KEY_LENGTH to 4096 in /etc/sysconfig/ssl. > > > > 2. Run '/usr/share/rpm-helper/create-ssl-certificate nrpe 1 nagios -g > > nagios' as root. > > > > 3. Change nrpe to use created certs in /etc/nagios/nrpe.cfg: > > ssl_cert_file=/etc/pki/tls/certs/nagios.pem > > ssl_privatekey_file=/etc/pki/tls/private/nagios.pem > > > > 4. Restart nrpe > > Thank you, this works on my test environment. > But a question for my understanding, why i have to expand the key lenght ? > if you look at /etc/crypto-policies/state/CURRENT.po the lenght of 2048 is > enough. Can you also try the same with KEY_LENGTH=2048? It might be that there is something else happening with nrpe and how it is working if certs are not used/configured.
CC: (none) => jani.valimaa
(In reply to Jani Välimaa from comment #5) > (In reply to Dieter Schütze from comment #2) > > Can you also try the same with KEY_LENGTH=2048? > > It might be that there is something else happening with nrpe and how it is > working if certs are not used/configured. With the given certificate, nrpe is forced to use an ssl connection with a given key length. this gives you the opportunity to adapt it to the crypto policies. Thank you Also works in the production environment, tested today.
I also used the 4096 long key. That makes sense for stricter regulations in the future.
(In reply to Aurelien Oudelet from comment #4) > Hi, thanks for reporting this bug. > Assigned to the package maintainer. > > No update required. 27259 blocks this. > > Will close this after 27259 will be fixed. Fixing bug 27259 doesn't fix the issue automatic. nrpe needs to be also configured/patched to use SSL cert and private key as it doesn't do it by default.
Status comment: No update required. 27259 blocks this. => (none)
(In reply to Jani Välimaa from comment #8) > (In reply to Aurelien Oudelet from comment #4) > > Hi, thanks for reporting this bug. > > Assigned to the package maintainer. > > > > No update required. 27259 blocks this. > > > > Will close this after 27259 will be fixed. > > Fixing bug 27359 doesn't fix the issue automatic. > > nrpe needs to be also configured/patched to use SSL cert and private key as > it doesn't do it by default. It's bug 27359 and not 27259.
Mageia 7 is EOL since July 1st 2021. There will not have any further bugfix for this release. You are encouraged to upgrade to Mageia 8 as soon as possible. @reporter, if this bug still apply with Mageia 8, please let us know it. @packager, if you work on the Mageia 7 version of your package, please check the Mageia 8 package if issue is also present. In this case, please fix the Mageia 8 version instead. This bug report will be closed OLD if there is no further notice within 1st September 2021.
Hi bug reporter and hi assignee and others involved, Please reopen this bug report if it is still valid for Mageia 8 or 9(cauldron), and change "Version:" in the upper left of this report accordingly. This report is being closed as OLD because it was filed against Mageia 7, for which support ended on June 30th 2021. Thanks, Marja
Resolution: (none) => OLDStatus: NEW => RESOLVED