Back to OP5 Monitor FAQ

How to Implement SSL for OP5/NRPE on Linux with self-signed certificates

This article outlines, using examples, how you would secure your OP5 Linux monitoring with SSL.

In general, the paths and names of the certificate files used are arbitrary, as long as the same paths are specified in your nrpe.cfg file and nrpe command line.

Prerequisites Copied

It is presumed that you have the NRPE agent and Nagios plugins installed on any client machines that you wish to monitor.

You will need OpenSSL, which in turn has the requirement of some development tools. There are many guides to be found that explain the process of installing OpenSSL on the internet. You should install the latest supported version available for your system.

Create a Certificate Authority (CA) Copied

If you are wanting to require SSL certificates for NRPE checks using self-signed certificates, you will need to first create your own certificate authority. In this example case, this will be done on the OP5 monitor with arbitrary hostname op5server.

Firstly, on the OP5 monitor, create the CA key Copied

Remember the passphrase you enter here, as it will be needed later when signing your client certificates.

[root@op5server]# openssl genrsa -aes128 -out /etc/pki/tls/private/myCA.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
..........................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:

Now using this key, create the Certificate Authority certificate Copied 

[root@op5server]# openssl req -new -x509 -days 1825 -key \
/etc/pki/tls/private/myCA.key -out /etc/pki/tls/certs/myCA.crt

Enter pass phrase for /etc/pki/tls/private/myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Cymru
Locality Name (eg, city) [Default City]:Caerdydd
Organization Name (eg, company) [Default Company Ltd]:ITRS
Organizational Unit Name (eg, section) []:CS
Common Name (eg, your name or your server's hostname) []:OP5-Rocky
Email Address []:hgriffiths@itrsgroup.com

You can do this is a non-interactive mode by using the -subj option

[root@op5server]# openssl req -new -x509 -days 1825 \
 -key /etc/pki/tls/private/myCA.key \
 -out /etc/pki/tls/certs/myCA.crt \
 -subj "/C=GB/ST=Cymru/L=Caerdydd/O=ITRS/OU=CS/CN=cslab.ldn.itrs"

Enter pass phrase for /etc/pki/tls/private/myCA.key:

Create a local client certificate using this CA Copied

On this OP5 master, we will want to self monitor and therefore will need our own client certificate.

Create a client private key Copied 

[root@op5server]# openssl genrsa -out /etc/pki/tls/private/op5client.key 2048

Check the permission of the new key and chmod if necessary, as it will need to be readable by the nrpe process Copied 

[root@op5server]#  chmod 644 /etc/pki/tls/private/op5client.key

Now generate a CSR (Certificate Signing Request) Copied

Note that the common name (CN) attribute must not be the same as for the CA certificate (CA was set to cslab.ldn.itrs, Client below is set to huw-v9rocky01.cslab.ldn.itr)

Using the same CN will lead to the following error in the nrpe log:

Could not complete SSL handshake with ::1: tlsv1 alert unknown ca

[root@op5server]#  openssl req -new -key /etc/pki/tls/private/op5client.key \
 -out /etc/pki/tls/op5client.csr \
 -subj "/C=GB/ST=Cymru/L=Caerdydd/O=ITRS/OU=CS/CN=huw-v9rocky01.cslab.ldn.itrs"

Sign the client certificate Copied 

[root@op5server]# openssl x509 -req -in /etc/pki/tls/op5client.csr \
-CA /etc/pki/tls/certs/myCA.crt \
-CAkey /etc/pki/tls/private/myCA.key -CAcreateserial \
-out /etc/pki/tls/certs/op5client.crt -days 730

Set certificate paths and require client certificates in /etc/nagios/nrpe.cfg Copied 

ssl_cacert_file=/etc/pki/tls/certs/myCA.crt
ssl_cert_file=/etc/pki/tls/certs/op5client.crt
ssl_privatekey_file=/etc/pki/tls/private/op5client.key

## SSL USE CLIENT CERTS
## This options determines client certificate usage.
## Values: 0 = Don't ask for or require client certificates (default)
## 1 = Ask for client certificates
## 2 = Require client certificates

ssl_client_certs=2

Restart the NRPE service Copied 

[root@op5server]# systemctl restart nrpe

Test by running a local nrpe check Copied

(In this case, we are both server and client.)

[root@op5server]# /opt/plugins/check_nrpe -H 127.0.0.1
CHECK_NRPE: Error sending query to host.

Now test, specifying the newly created certificates Copied 

[root@op5server]# /opt/plugins/check_nrpe -A /etc/pki/tls/certs/myCA.crt \
 -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H 127.0.0.1

NRPE v4.1.0

Setup Remote Client Certificates Copied

Copy the CA certificate to the remote client. e.g Copied 

[root@op5server]#  scp /etc/pki/tls/certs/myCA.crt remote_client:/etc/pki/tls/certs/myCA.crt

Either create a new client key, signing request and certificate as done previously, or simply copy the key and certificate. e.g Copied 

[root@op5server]# scp /etc/pki/tls/private/op5client.key remote_client:/etc/pki/tls/private/op5client.key
[root@op5server]# scp /etc/pki/tls/certs/op5client.crt remote_client:/etc/pki/tls/certs/op5client.crt

Either modify nrpe.cfg on the client (as done previously) or copy it over. e.g Copied 

[root@op5server]# scp /etc/nagios/nrpe.cfg remote_client:/etc/nagios/nrpe.cfg

Restart the NRPE service Copied 

[root@remote_client ]# systemctl restart nrpe

Test the client SSL connection from the server with and without certificates Copied 

[root@op5server]# /opt/plugins/check_nrpe  -H remote_client -c root_disk
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.16.1.129: 1

[root@op5server]# /opt/plugins/check_nrpe -A /etc/pki/tls/certs/myCA.crt \
-C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H remote_client -c root_disk

DISK OK - free space: / 26067 MB (89.39% inode=100%);| /=3093MB;23328;26244;0;29161

Edit the check_nrpe command line in the OP5 GUI to include the additional certificate arguments Copied

OP5 Monitor - How to Implement SSL for OP5/NRPE on Linux with self-signed certificates

Command line for check_nrpe should now read:

$USER1$/check_nrpe -A /etc/pki/tls/certs/myCA.crt -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H $HOSTADDRESS$ -c $ARG1$

Click on Test this Command and then Test this Check

Test this check will complain about a missing argument

_USER1_/check_nrpe -A /etc/pki/tls/certs/myCA.crt -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H $HOSTADDRESS$ -c
Result code: 3
ERROR OUTPUT:
/opt/plugins/check_nrpe: option requires an argument -- 'c'

Remove the -c $ARG1$ from the Test this Check command line and change $HOSTADDRESS$ to localhost

_USER1_/check_nrpe -A /etc/pki/tls/certs/myCA.crt -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H localhost
Result code: 0
NRPE v4.1.0
["Geneos"] ["FAQ"]

Was this topic helpful?