For years I’ve avoided SSL with NRPE because it just never seemed to work for me and on an internal network is it really needed?
I’m now doing a new fresh install of Nagios on a raspberry PI and decided after recently setting up SSL certificates on all my sites, to see if I can get this working with NRPE.
First things first, I’ve made sure the following are installed
apt-get install openssl libssl-dev build-essential
It’s also presumed you have already compiled and installed the nagios plugins and have a nagios user and group. Download and unpacked nrpe 2.13
mkdir nagios
cd nagios
wget http://prdownloads.sourceforge.net/sourceforge/nagios/nrpe-2.13.tar.gz
tar xzvf nrpe-2.13.tar.gz
Now onto the actual work:-
cd nrpe-2.13/
./configure
After a little time I got the nice error I’m used to seeing
checking for SSL libraries… configure: error: Cannot find ssl libraries
So after a little searching I hit upon libssl.so missing. Well not so much missing, it just doesn’t have a link where it’s expected. The answer to which is to create a new symlink to it
ln -s /usr/lib/arm-linux-gnueabihf/libssl.so /usr/lib/libssl.so
UPDATE: Noticed on another system it didn’t work, this was because /usr/lib/libssl.so was already present but pointing to the wrong place. This stopped the link being created. So I ran rm/usr/lib/libssl.so then reran the above, this create the link properly and the ./configure then runs as normal.
On my system it’s in the /usr/lib/arm-linux-gnueabihf folder, but on an x86 system this could be something like /usr/lib/x86_64-linux-gnu/
So now I rerun the configure step
./configure
At the point I see
*** Generating DH Parameters for SSL/TLS ***
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
…………………+…………………+…………+…………………….++*++*++*++*++*++*
I know it’s taken the SSL stuff well. When it’s complete the configure run without errors you can continue to the make stage
make all
Update /etc/services inserting “nrpe 5666/tcp # NRPE”
nano -w /etc/services
I’ve always run nrpe under xinit.d for all my installs, so make sure xinitd is installed
apt-get install xinetd
Once it’s installed you need to add a new service. edit the file /etc/xinit.d/nrpe
nano -w /etc/xinit.d/nrpe
My sample configuration:-
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 192.168.0.0/16
}
You will probably need to change the user, group and only_from fields to suit your installation.
Next you’ll need a configuration. I’m just going to copy the sample for now
mkdir /usr/local/nagios/etc
cp sample-config/nrpe.cfg /usr/local/nagios/etc/nrpe.cfg
chown -R nagios:nagios /usr/local/nagios/etc/
Lastly restart the xinitd service
etc/init.d/xinetd restart
You can test your nrpe installation from your nagios server with the check_nrpe command. It’s probably worth also checking the syslog or messages for the system after restarting xinitd as any errors regarding startup will be reported.
I’ve tested from my server using
/usr/local/nagios/libexec/check_nrpe -H titan
titan being the name of the server I have just complete an installation of plugins+nrpe on (I’ve already run through the above on titan itself). It responds with
NRPE v2.13
So all working.
UPDATE #2
I skipped through the steps above and was trying to just return the NRPE version, I kept hitting the error: “CHECK_NRPE: Error – Could not complete SSL handshake.”
Thinking something was wrong with the SSL I went back through everything, but same error. I then realised I hadn’t yet put a config in place for NRPE (as I was only trying to return the version number didn’t think it was too important) a silly mistake, but returns an off putting error.