Univention Bugzilla – Bug 49082
enable usage of client certificates in check_nrpe
Last modified: 2022-06-27 17:48:19 CEST
With UCS-4.3 the packages nagios-nrpe-plugin as well as nagios-nrpe-server came in version 3.0.1-3. This version is able to make use of client certificates. Since a valid PKI is available in UCS the communication between Nagios4-Server (nagios-nrpe-plugin) und the various Univention servers (nagios-nrpe-server) should be secured with certificates. In order to achieve that two steps have to be done on the Nagios4-server: 1) change the file /etc/nagios-plugins/config/check_nrpe.fg as proposed in patch "check_nrpe.cfg.patch" 2) make the directories /etc/univention/ssl/$(<hostname|hosname -f>) readable for the user "nagios" On the NRPE-server the following steps have to be done: 1) change the file /etc/nagios/nrpd.cfg as proposed in patch "nrpe.cfg.patch" 2) make the directories /etc/univention/ssl/$(<hostname|hosname -f>) readable for the user "nagios" After restarting the nagios-nrpe-server one can check the configuration via: /usr/lib/nagios/plugins/check_nrpe -A /etc/univention/ssl/ucsCA/CAcert.pem -C /etc/univention/ssl/ucsnetmon2/cert.pem -K /etc/univention/ssl/ucsnetmon2/private.key -H ucsdevel64.ltbbg1.lvnbb.de -s 0xffffffff And you will find the following lins in /var/log/syslog: Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL Certificate File: /etc/univention/ssl/ucsnetmon2/cert.pem Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL Private Key File: /etc/univention/ssl/ucsnetmon2/private.key Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL CA Certificate File: /etc/univention/ssl/ucsCA/CAcert.pem Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL Cipher List: ALL:!MD5:@STRENGTH Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL Allow ADH: Allow Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL Log Options: 0xffffffff Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL Version: TLSv1_plus And Above Mar 25 12:40:02 ucsnetmon2 check_nrpe: Connected to 10.142.235.49 Mar 25 12:40:02 ucsnetmon2 check_nrpe: Remote 10.142.235.49 - SSL Version: TLSv1.2 Mar 25 12:40:02 ucsnetmon2 check_nrpe: Remote 10.142.235.49 - TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL 10.142.235.49 has a valid certificate Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL 10.142.235.49 Cert Name: /C=DE/ST=Brandenburg/L=Potsdam/O=Landtag Brandenburg/OU=Verwaltung/CN=ucsdevel64.ltbbg1.lvnbb.de/emailAddress=ca@landtag.brandenburg.de Mar 25 12:40:02 ucsnetmon2 check_nrpe: SSL 10.142.235.49 Cert Issuer: /C=DE/ST=Brandenburg/L=Potsdam/O=Landtag Brandenburg/OU=Verwaltung/CN=Landtag Brandenburg UCS Root CA/emailAddress=ca@landtag.brandenburg.de
Created attachment 9937 [details] check_nrpe configuration for usage of certificates
Created attachment 9938 [details] nrpe-daemon configuration for user of certificates
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.