Discussion:
icinga-nrpe
Thomas Pries
2012-03-07 18:39:46 UTC
Permalink
Hi,

I tried to setup icing-nrpe on one host with selfsigned SSL-Certs for
both client and daemon. When I try to connect I got:

CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: Error - Failed to get peer certificate.


I set debug=1 in nrpe.cfg to find out what went wrong, but the only info
at daemon-log was "nrpe[12912]: Connection from 2001:4dd0:... port 59107".

I is there any kind of "very verbose"-option either on client or on
daemon side to find out why the handshake fails?

Any other hints?

Kind regards
Thomas
Michael Friedrich
2012-03-07 18:47:50 UTC
Permalink
Post by Thomas Pries
Hi,
I tried to setup icing-nrpe on one host with selfsigned SSL-Certs for
CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: Error - Failed to get peer certificate.
I set debug=1 in nrpe.cfg to find out what went wrong, but the only info
at daemon-log was "nrpe[12912]: Connection from 2001:4dd0:... port 59107".
there should be more output when debug is enabled.
Post by Thomas Pries
I is there any kind of "very verbose"-option either on client or on
daemon side to find out why the handshake fails?
first off, you cloned from git. so please provide the sha1 you are
currently using.

$ git log -1
Post by Thomas Pries
Any other hints?
Kind regards
Thomas
------------------------------------------------------------------------------
Virtualization& Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
icinga-users mailing list
https://lists.sourceforge.net/lists/listinfo/icinga-users
--
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email: michael.friedrich-***@public.gmane.org
phone: +43 1 4277 14359
mobile: +43 664 60277 14359
fax: +43 1 4277 14338
web: http://www.univie.ac.at/zid
http://www.aco.net

Lead Icinga Core Developer
http://www.icinga.org
Thomas Pries
2012-03-07 21:31:36 UTC
Permalink
Post by Michael Friedrich
Post by Thomas Pries
I tried to setup icing-nrpe on one host with selfsigned SSL-Certs for
CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: Error - Failed to get peer certificate.
I set debug=1 in nrpe.cfg to find out what went wrong, but the only info
at daemon-log was "nrpe[12912]: Connection from 2001:4dd0:... port 59107".
there should be more output when debug is enabled.
Post by Thomas Pries
I is there any kind of "very verbose"-option either on client or on
daemon side to find out why the handshake fails?
first off, you cloned from git. so please provide the sha1 you are
currently using.
I took icinga-nrpe-HEAD.tar.gz from

https://git.icinga.org/?p=icinga-nrpe.git;a=tree;hb=HEAD

may be, this was not a good idea, now I got

icinga-nrpe-f42441262157d866cf45d20e3793f0c9e11c2bb2.tar

from https://git.icinga.org/?p=icinga-nrpe.git;a=summary

Now there is a little more output:

Mar 7 21:11:20 ntp nrpe[23167]: Connection from 2001:... port 57828
Mar 7 21:11:20 ntp nrpe[23167]: got match with 2001:...
Mar 7 21:11:20 ntp nrpe[23167]: Host address 2001:... is in allowed_hosts
Mar 7 21:11:20 ntp nrpe[23167]: Handling the connection...
Mar 7 21:11:22 ntp nrpe[23167]: Error: Could not complete SSL handshake. 1
Mar 7 21:11:22 ntp nrpe[23167]: Connection from 2001:.... closed.

And the client says:

./check_nrpe -H ntp.... -C /usr/local/icinga/etc/client_icinga-nrpe.crt
-k /usr/local/icinga/etc/client_icinga-nrpe_sin.key -r
/usr/local/icinga/etc/client_icinga-nrpe.crt -t 20 -c check_part_root

CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: Error - Failed to verify server certificate.
Michael Friedrich
2012-03-07 22:57:23 UTC
Permalink
Post by Thomas Pries
I took icinga-nrpe-HEAD.tar.gz from
https://git.icinga.org/?p=icinga-nrpe.git;a=tree;hb=HEAD
may be, this was not a good idea, now I got
icinga-nrpe-f42441262157d866cf45d20e3793f0c9e11c2bb2.tar
ok. that's current head with my 2 fixes on top. otherwise ipv6
connections would have failed.
Post by Thomas Pries
from https://git.icinga.org/?p=icinga-nrpe.git;a=summary
Mar 7 21:11:20 ntp nrpe[23167]: Connection from 2001:... port 57828
Mar 7 21:11:20 ntp nrpe[23167]: got match with 2001:...
Mar 7 21:11:20 ntp nrpe[23167]: Host address 2001:... is in allowed_hosts
Mar 7 21:11:20 ntp nrpe[23167]: Handling the connection...
Mar 7 21:11:22 ntp nrpe[23167]: Error: Could not complete SSL handshake. 1
Mar 7 21:11:22 ntp nrpe[23167]: Connection from 2001:.... closed.
how about nrpe.cfg?

mine for testing ipv6 looks like this.

log_facility=daemon
pid_file=/var/run/icinga-nrpe.pid
server_port=5666
#server_address=127.0.0.1
server_address=::1
nrpe_user=icinga
nrpe_group=icinga
allowed_hosts=::1,::2,::3,127.0.0.0/24,127.0.0.2,::4/64
#allowed_hosts=127.0.0.0/24
#allowed_hosts=127.0.0.1/24
dont_blame_nrpe=1
# command_prefix=/usr/bin/sudo
#debug=0
debug=1
command_timeout=60
connection_timeout=300
#allow_weak_random_seed=1
illegal_metachars="|`&><'\"[]{};"
#include=<somefile.cfg>
#include_dir=<somedirectory>
#include_dir=<someotherdirectory>
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 1.5,1.1,0.9 -c
3.0,2.2,1.9
command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p
/dev/hda1
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c
10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c
200

command[test_longoutput]=/usr/lib/nagios/plugins/check_dummy 0 "OUPUT |
PERFDATA \n LONGOUTPUT
R0W/RB7cTThkx6WNdQhtVSO/HO4=|JFEOInz/+xtOsGF7lWKemVQ2RO8= ssh-dss
AAAAB3NzaC1kc3MAAACBAOoMAbj/bzfukfFRSh+7C6AOo/fzLFl4JNefoj2fBtGJzVvzmNIwJSpBvqFerAhHBvtwR1QYtFmcpLXXuV05eNzQb8jrKntFezDZjxA0vOc6My92x4KLNYT/5hAqegwPKglIUU+eM1wRCHc6USlSi2WoVvm0qQoecfZTihl86PY7AAAAFQCcE6oocccAkCpZhfdL7l7qiUo4JQAAAIEAnYXg2OwLy4RraBt8jC6cxfoa8sKft0vM2lkKYCpg7WZZACU1PPWabsax5X6T51ClMH5GYp0GZqF8vGMvVjNcKkvD9ggpr+HXxQAxj6LeRwxqDUYdQEgFSfM3oBTSlONVc1UXbWt9uEwHJuxSrnL0oKMR02tcMO2+zndz7+/3GJ4AAACAR2xs+0f19KoxI1l2ctAT2jBOhSPVQygidX+7ozyBSSqrie2MWKUC7hTZNjVdK96l/pcZCMzZ03tFQH8uDC/qsL0Vg7jjh65aDW5pKE6Fcev1zxu4LpLHCzuszd09CMzXQPgS6/22mL0DpIMnNcJhfHdUlmmMugkQ7+HkXcKdSgw=R0W/RB7cTThkx6WNdQhtVSO/HO4=|JFEOInz/+xtOsGF7lWKemVQ2RO8=
ssh-dss
AAAAB3NzaC1kc3MAAACBAOoMAbj/bzfukfFRSh+7C6AOo/fzLFl4JNefoj2fBtGJzVvzmNIwJSpBvqFerAhHBvtwR1QYtFmcpLXXuV05eNzQb8jrKntFezDZjxA0vOc6My92x4KLNYT/5hAqegwPKglIUU+eM1wRCHc6USlSi2WoVvm0qQoecfZTihl86PY7AAAAFQCcE6oocccAkCpZhfdL7l7qiUo4JQAAAIEAnYXg2OwLy4RraBt8jC6cxfoa8sKft0vM2lkKYCpg7WZZACU1PPWabsax5X6T51ClMH5GYp0GZqF8vGMvVjNcKkvD9ggpr+HXxQAxj6LeRwxqDUYdQEgFSfM3oBTSlONVc1UXbWt9uEwHJuxSrnL0oKMR02tcMO2+zndz7+/3GJ4AAACAR2xs+0f19KoxI1l2ctAT2jBOhSPVQygidX+7ozyBSSqrie2MWKUC7hTZNjVdK96l/pcZCMzZ03tFQH8uDC/qsL0Vg7jjh65aDW5pKE6Fcev1zxu4LpLHCzuszd09CMzXQPgS6/22mL0DpIMnNcJhfHdUlmmMugkQ7+HkXcKdSgw=R0W/RB7cTThkx6WNdQhtVSO/HO4=|JFEOInz/+xtOsGF7lWKemVQ2RO8=
ssh-dss
AAAAB3NzaC1kc3MAAACBAOoMAbj/bzfukfFRSh+7C6AOo/fzLFl4JNefoj2fBtGJzVvzmNIwJSpBvqFerAhHBvtwR1QYtFmcpLXXuV05eNzQb8jrKntFezDZjxA0vOc6My92x4KLNYT/5hAqegwPKglIUU+eM1wRCHc6USlSi2WoVvm0qQoecfZTihl86PY7AAAAFQCcE6oocccAkCpZhfdL7l7qiUo4JQAAAIEAnYXg2OwLy4RraBt8jC6cxfoa8sKft0vM2lkKYCpg7WZZACU1PPWabsax5X6T51ClMH5GYp0GZqF8vGMvVjNcKkvD9ggpr+HXxQAxj6LeRwxqDUYdQEgFSfM3oBTSlONVc1UXbWt9uEwHJuxSrnL0oKMR02tcMO2+zndz7+/3GJ4AAACAR2xs+0f19KoxI1l2ctAT2jBOhSPVQygidX+7ozyBSSqrie2MWKUC7hTZNjVdK96l/pcZCMzZ03tFQH8uDC/qsL0Vg7jjh65aDW5pKE6Fcev1zxu4LpLHCzuszd09CMzXQPgS6/22mL0DpIMnNcJhfHdUlmmMugkQ7+HkXcKdSgw=R0W/RB7cTThkx6WNdQhtVSO/HO4=|JFEOInz/+xtOsGF7lWKemVQ2RO8=
ssh-dss
AAAAB3NzaC1kc3MAAACBAOoMAbj/bzfukfFRSh+7C6AOo/fzLFl4JNefoj2fBtGJzVvzmNIwJSpBvqFerAhHBvtwR1QYtFmcpLXXuV05eNzQb8jrKntFezDZjxA0vOc6My92x4KLNYT/5hAqegwPKglIUU+eM1wRCHc6USlSi2WoVvm0qQoecfZTihl86PY7AAAAFQCcE6oocccAkCpZhfdL7l7qiUo4JQAAAIEAnYXg2OwLy4RraBt8jC6cxfoa8sKft0vM2lkKYCpg7WZZACU1PPWabsax5X6T51ClMH5GYp0GZqF8vGMvVjNcKkvD9ggpr+HXxQAxj6LeRwxqDUYdQEgFSfM3oBTSlONVc1UXbWt9uEwHJuxSrnL0oKMR02tcMO2+zndz7+/3GJ4AAACAR2xs+0f19KoxI1l2ctAT2jBOhSPVQygidX+7ozyBSSqrie2MWKUC7hTZNjVdK96l/pcZCMzZ03tFQH8uDC/qsL0Vg7jjh65aDW5pKE6Fcev1zxu4LpLHCzuszd09CMzXQPgS6/22mL0DpIMnNcJhfHdUlmmMugkQ7+HkXcKdSgw=R0W/RB7cTThkx6WNdQhtVSO/HO4=|JFEOInz/+xtOsGF7lWKemVQ2RO8=
ssh-dss
AAAAB3NzaC1kc3MAAACBAOoMAbj/bzfukfFRSh+7C6AOo/fzLFl4JNefoj2fBtGJzVvzmNIwJSpBvqFerAhHBvtwR1QYtFmcpLXXuV05eNzQb8jrKntFezDZjxA0vOc6My92x4KLNYT/5hAqegwPKglIUU+eM1wRCHc6USlSi2WoVvm0qQoecfZTihl86PY7AAAAFQCcE6oocccAkCpZhfdL7l7qiUo4JQAAAIEAnYXg2OwLy4RraBt8jC6cxfoa8sKft0vM2lkKYCpg7WZZACU1PPWabsax5X6T51ClMH5GYp0GZqF8vGMvVjNcKkvD9ggpr+HXxQAxj6LeRwxqDUYdQEgFSfM3oBTSlONVc1UXbWt9uEwHJuxSrnL0oKMR02tcMO2+zndz7+/3GJ4AAACAR2xs+0f19KoxI1l2ctAT2jBOhSPVQygidX+7ozyBSSqrie2MWKUC7hTZNjVdK96l/pcZCMzZ03tFQH8uDC/qsL0Vg7jjh65aDW5pKE6Fcev1zxu4LpLHCzuszd09CMzXQPgS6/22mL0DpIMnNcJhfHdUlmmMugkQ7+HkXcKdSgw="

cert_file=/etc/icinga-nrpe/server.crt
cacert_file=/etc/icinga-nrpe/server.crt
privatekey_file=/etc/icinga-nrpe/server.key

include_dir=/etc/icinga-nrpe/conf.d
Post by Thomas Pries
./check_nrpe -H ntp.... -C /usr/local/icinga/etc/client_icinga-nrpe.crt
-k /usr/local/icinga/etc/client_icinga-nrpe_sin.key -r
/usr/local/icinga/etc/client_icinga-nrpe.crt -t 20 -c check_part_root
CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: Error - Failed to verify server certificate.
is the icinga user allowed to read the key/crt file?

i'll look into the code to make it more verbose...
Post by Thomas Pries
------------------------------------------------------------------------------
Virtualization& Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
icinga-users mailing list
https://lists.sourceforge.net/lists/listinfo/icinga-users
--
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email: michael.friedrich-***@public.gmane.org
phone: +43 1 4277 14359
mobile: +43 664 60277 14359
fax: +43 1 4277 14338
web: http://www.univie.ac.at/zid
http://www.aco.net

Lead Icinga Core Developer
http://www.icinga.org
Michael Friedrich
2012-03-08 01:02:25 UTC
Permalink
Post by Michael Friedrich
Post by Thomas Pries
./check_nrpe -H ntp.... -C /usr/local/icinga/etc/client_icinga-nrpe.crt
-k /usr/local/icinga/etc/client_icinga-nrpe_sin.key -r
/usr/local/icinga/etc/client_icinga-nrpe.crt -t 20 -c check_part_root
CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: Error - Failed to verify server certificate.
is the icinga user allowed to read the key/crt file?
i'll look into the code to make it more verbose...
can you fetch the latest HEAD, i've added a new option to check_nrpe,
namely -v, --verbose to increase verbosity on the long run.
furthermore, i've party rewritten the error output on ssl errors.
probably you will now see a bit more information on failures.

https://git.icinga.org/?p=icinga-nrpe.git;a=commit;h=22f38484045b48a61bb8c03818d1d8684a231696

that being said, it would be great if you could test that.
--
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email: michael.friedrich-***@public.gmane.org
phone: +43 1 4277 14359
mobile: +43 664 60277 14359
fax: +43 1 4277 14338
web: http://www.univie.ac.at/zid
http://www.aco.net

Lead Icinga Core Developer
http://www.icinga.org
Thomas Pries
2012-03-08 06:28:38 UTC
Permalink
Good Morning,
... added a new option to check_nrpe,...
Ok, with the new version daemon output is:

Mar 8 06:04:38 ntp nrpe[12938]: Using illegal meta characters
'"|`&><'\"[]{};"'
Mar 8 06:04:38 ntp nrpe[12938]: Added
command[check_part_root]=/usr/local/icinga/lib/check_disk -w 20% -c 10% -p /
Mar 8 06:04:38 ntp nrpe[12938]: IPv4 ACL: 127.0.0.1/32 16777343
Mar 8 06:04:38 ntp nrpe[12938]: IPv4 ACL: 192.168.3.7/32 117680320
Mar 8 06:04:38 ntp nrpe[12938]: IPv6 allowed_hosts: ::1,2001:4dd0:fb32:3::7
Mar 8 06:04:38 ntp nrpe[12938]: INFO: SSL/TLS initialized. All network
traffic will be encrypted.
Mar 8 06:04:38 ntp nrpe[12939]: Starting up daemon
Mar 8 06:04:38 ntp nrpe[12939]: Listening for connections on port 5666
Mar 8 06:04:38 ntp icinga-nrpe[12914]: Starting Icinga NRPE ..done

Mar 8 06:06:53 ntp nrpe[13100]: Connection from 127.0.0.1 port 11732
Mar 8 06:06:53 ntp nrpe[13100]: Host address 127.0.0.1 is in allowed_hosts
Mar 8 06:06:53 ntp nrpe[13100]: Handling the connection...
Mar 8 06:06:55 ntp nrpe[13100]: Error: Could not complete SSL handshake. 1
Mar 8 06:06:55 ntp nrpe[13100]: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mar 8 06:06:55 ntp nrpe[13100]: no certificate returned
Mar 8 06:06:55 ntp nrpe[13100]: Connection from 127.0.0.1 closed.


and the client says:

./check_nrpe -H ntp.pries.name -C
/usr/local/icinga/etc/client_icinga-nrpe.crt -k
/usr/local/icinga/etc/client_icinga-nrpe_sin.key -r
/usr/local/icinga/etc/client_icinga-nrpe.crt -t 20 -v -c check_part_root

NRPE Plugin for Icinga
Copyright (c) 1999-2008 Ethan Galstad (nagios-hvcSvQUnuUQdnm+***@public.gmane.org)
Copyright (c) 2010-2012 Icinga Development Team and Community
Contributors (http://www.icinga.org)
Version: 3.0-dev
Last Modified: 03-04-2012
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: OpenSSL 0.9.6 or higher required

CHECK_NRPE: created SSL context.
CHECK_NRPE: SSL/TLS initialized. All network traffic will be encrypted.
CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: error:00000000:lib(0):func(0):reason(0)
CHECK_NRPE: (null)
CHECK_NRPE: Error 0 - Failed to verify server x509 certificate.
CHECK_NRPE: error:00000000:lib(0):func(0):reason(0)
CHECK_NRPE: (null)
CHECK_NRPE: Common Name 'ntp.pries.name' in server certificate matches
host name 'ntp.pries.name'.
CHECK_NRPE: Got peer certificate.
CHECK_NRPE: SSL connection structure created.
CHECK_NRPE: Result not OK, bailing out ...


My conf is:

log_facility=daemon
pid_file=/var/run/icinga-nrpe.pid
server_port=5666
cert_file=/usr/local/icinga/etc/icinga-nrpe.crt
cacert_file=/usr/local/icinga/etc/icinga-nrpe.crt
privatekey_file=/usr/local/icinga/etc/icinga-nrpe_sin.key
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=127.0.0.1,192.168.3.7,::1,2001:4dd0:fb32:3::7
dont_blame_nrpe=0
debug=1
command_timeout=60
connection_timeout=300
illegal_metachars="|`&><'\"[]{};"
command[check_part_root]=/usr/local/icinga/lib/check_disk -w 20% -c 10% -p /
Michael Friedrich
2012-03-08 13:06:36 UTC
Permalink
Post by Thomas Pries
Mar 8 06:04:38 ntp nrpe[12938]: Using illegal meta characters
'"|`&><'\"[]{};"'
Mar 8 06:04:38 ntp nrpe[12938]: Added
command[check_part_root]=/usr/local/icinga/lib/check_disk -w 20% -c 10% -p /
Mar 8 06:04:38 ntp nrpe[12938]: IPv4 ACL: 127.0.0.1/32 16777343
Mar 8 06:04:38 ntp nrpe[12938]: IPv4 ACL: 192.168.3.7/32 117680320
Mar 8 06:04:38 ntp nrpe[12938]: IPv6 allowed_hosts: ::1,2001:4dd0:fb32:3::7
Mar 8 06:04:38 ntp nrpe[12938]: INFO: SSL/TLS initialized. All network
traffic will be encrypted.
Mar 8 06:04:38 ntp nrpe[12939]: Starting up daemon
Mar 8 06:04:38 ntp nrpe[12939]: Listening for connections on port 5666
Mar 8 06:04:38 ntp icinga-nrpe[12914]: Starting Icinga NRPE ..done
Mar 8 06:06:53 ntp nrpe[13100]: Connection from 127.0.0.1 port 11732
Mar 8 06:06:53 ntp nrpe[13100]: Host address 127.0.0.1 is in allowed_hosts
Mar 8 06:06:53 ntp nrpe[13100]: Handling the connection...
Mar 8 06:06:55 ntp nrpe[13100]: Error: Could not complete SSL handshake. 1
Mar 8 06:06:55 ntp nrpe[13100]: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mar 8 06:06:55 ntp nrpe[13100]: no certificate returned
Mar 8 06:06:55 ntp nrpe[13100]: Connection from 127.0.0.1 closed.
looks like that the certificate is not provided by the client, therefore
failing the ssl handshake.
Post by Thomas Pries
./check_nrpe -H ntp.pries.name -C
/usr/local/icinga/etc/client_icinga-nrpe.crt -k
/usr/local/icinga/etc/client_icinga-nrpe_sin.key -r
/usr/local/icinga/etc/client_icinga-nrpe.crt -t 20 -v -c check_part_root
how about permissions on that dir

/usr/local/icinga/etc
Post by Thomas Pries
NRPE Plugin for Icinga
Copyright (c) 2010-2012 Icinga Development Team and Community
Contributors (http://www.icinga.org)
Version: 3.0-dev
Last Modified: 03-04-2012
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: OpenSSL 0.9.6 or higher required
CHECK_NRPE: created SSL context.
CHECK_NRPE: SSL/TLS initialized. All network traffic will be encrypted.
CHECK_NRPE: Error - Could not complete SSL handshake.
CHECK_NRPE: error:00000000:lib(0):func(0):reason(0)
CHECK_NRPE: (null)
CHECK_NRPE: Error 0 - Failed to verify server x509 certificate.
CHECK_NRPE: error:00000000:lib(0):func(0):reason(0)
CHECK_NRPE: (null)
CHECK_NRPE: Common Name 'ntp.pries.name' in server certificate matches
host name 'ntp.pries.name'.
CHECK_NRPE: Got peer certificate.
CHECK_NRPE: SSL connection structure created.
CHECK_NRPE: Result not OK, bailing out ...
hm. awkward. no direct ssl error returned (0 seems to be unlucky)

what host os? openssl version? how did you generate the certs? is it
self signed?
Post by Thomas Pries
log_facility=daemon
pid_file=/var/run/icinga-nrpe.pid
server_port=5666
cert_file=/usr/local/icinga/etc/icinga-nrpe.crt
cacert_file=/usr/local/icinga/etc/icinga-nrpe.crt
privatekey_file=/usr/local/icinga/etc/icinga-nrpe_sin.key
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=127.0.0.1,192.168.3.7,::1,2001:4dd0:fb32:3::7
dont_blame_nrpe=0
debug=1
command_timeout=60
connection_timeout=300
illegal_metachars="|`&><'\"[]{};"
command[check_part_root]=/usr/local/icinga/lib/check_disk -w 20% -c 10% -p /
------------------------------------------------------------------------------
Virtualization& Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
icinga-users mailing list
https://lists.sourceforge.net/lists/listinfo/icinga-users
--
DI (FH) Michael Friedrich

Vienna University Computer Center
Universitaetsstrasse 7 A-1010 Vienna, Austria

email: michael.friedrich-***@public.gmane.org
phone: +43 1 4277 14359
mobile: +43 664 60277 14359
fax: +43 1 4277 14338
web: http://www.univie.ac.at/zid
http://www.aco.net

Lead Icinga Core Developer
http://www.icinga.org
Thomas Pries
2012-03-08 16:30:59 UTC
Permalink
Post by Michael Friedrich
...
how about permissions on that dir
/usr/local/icinga/etc
owner: root:root
mod: 550

The *.key and *crt files itself have
Owner: nagios:nagios
mod: 440
Post by Michael Friedrich
...
what host os? ...
OpenSuSE 12.1 (32 bit)
Post by Michael Friedrich
openssl version?
OpenSSL 1.0.0e 6 Sep 2011
Post by Michael Friedrich
how did you generate the certs?
openssl genrsa -out icinga-nrpe.key -des3 8192
openssl req -new -x509 -days 1460 -key icinga-nrpe.key -out icinga-nrpe.crt
openssl rsa -in icinga-nrpe.key -out icinga-nrpe_sin.key

openssl genrsa -out client_icinga-nrpe.key -des3 8192
openssl req -new -x509 -days 1460 -key client_icinga-nrpe.key -out
client_icinga-nrpe.crt
openssl rsa -in client_icinga-nrpe.key -out client_icinga-nrpe_sin.key
Post by Michael Friedrich
is it self signed?
Yes, it is.

Loading...