I have numerous windows clients that I want to monitor via nagios/nsclient. I've installed the latest nsclient on two win7 x64 and one win2012 r2. Of these one win7 works while the other two machines return could not complete SSL handshake
when a connection is attempted from the nagios machine (libexec/check_nrpe -H hostname -c check_cpu).
What I've tried:
- check passwords – all these systems have identical nsclient.ini files.
- check ports – nmap -P0 client_name returns the same for all (ports 5666 is open)
- run nscp test – non-working systems return
sslv3 alert: unexpected message
(win7) orfailed to establish secure connection: no shared cipher
(win2012)
I'm stuck trying to figure out what's different between the working and non working windows 7 systems and trying to apply this to a windows 2012 system.
Best Answer
If you are using 0.4.3 (which I assume) "default" security has been improved a bit. This unfortunately means the rather insecure check_nrpe wont work.
When you install NSClient++ you have the option of selecting "insecure mode" which should work fine with the classic check_nrpe.
You can also tweak this "in post" using the nrpe command like so:
If you want to use the "slightly more secure" modes offered by NSClient++ you need to install NSClient++ on the nagios server as well and use the NSClient++ version of check_nrpe which support modern SSL and certificate based authentication.