How to use self-signed SSL certificates between the opsview-agent and infrastructure-agent

This article describes how to use self-signed SSL certificates with the opsview agent (monitor) and infrastructure agent (remote end) Copied

If you are trying to use self-signed certificates with the Agents without making the necessary changes to the agent configuration file and the Web UI, you will see errors like the below:

• CHECK_NRPE: Error Sendng Query To Host

As the directories and ciphers are different they will need changing:

1. On the opsview monitor edit the desired host and click on the variables sub-tab:

Add the variable NRPE_CERTIFICATES (below example)

2.  Then add the 2nd variable called `NRPE_CIPHERS` override cipher list with the string '`ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:MD5:DSS`'

And then proceed to apply changes

3. On the remote end make sure to have the config amended as in the below example config file:

• /opt/itrs/infrastructure-agent/cfg/agent.yml
• Please note the entries for cert_file and key_file are examples, so adjust accordingly for your system

---
## This file has been created as a placeholder for your custom
## configuration overrides. YAML configuration files in the "custom"
## directory will be read in alphanumeric order.
server:
  allow_multi_packet_response: true
  allowed_hosts: 0.0.0.0
  bind_address: 0.0.0.0
  housekeeping_interval: 300
  max_active_connections: 15
  max_queued_connections: 30
  max_request_time: 120
  port: 5666
  receive_data_timeout: 5
  tls:
    ca_cert: null
    ca_path: null
    cert_file: '/opt/itrs/infrastructure-agent/var/ejf-ub22-infra-qa-server.crt'
    key_file: '/opt/itrs/infrastructure-agent/var/ejf-ub22-infra-qa-server.key'
    check_client_cert: false
    cipher_suite: ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
    context_options:
    - NO_SSLv3
    - NO_TLSv1
    - NO_TLSv1_1
  tls_enabled: true
  tls_handshake_timeout: 3

After the above has been done proceed to a restart for these changes to take effect, make sure to check the status to see if running or not, if not running then you probably have a syntax error within the YAML file:

systemctl restart infrastructure-agent

systemctl status infrastructure-agent

As an example below from my opsview monitor, I have successfully established a handshake with the infrastructure agent on the remote end If you see any service checks failing with an unknown CHECK_NRPE: Error Sendng Query To Host you must do -C '%NRPE_CERTIFICATES:1%' -k '%NRPE_CERTIFICATES:2%' -r '%NRPE_CERTIFICATES:3%' -y '%NRPE_CIPHERS:1%' so edit the service check and then submit changes, all should be good

check_nrpe output from my 6.7 system to the infrastructure agent box, Example command with ‘-r’ option with no value.

check_nrpe -H '10.140.1.155' -c check_cpu_stats -C '/opt/opsview/etc/ssl/ca.crt' -k '/opt/opsview/etc/ssl/ca.pem' -r '' -y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:MD5:DSS'
OK: utilization:0.3%,guest:0.0%,guest_nice:0.0%,iowait:0.0%,irq:0.0%,nice:0.0%,softirq:0.0%,steal:0.1%,system:0.1%,user:0.1%|'guest'=0.00%;;;0;100 'guest_nice'=0.00%;;;0;100 'iowait'=0.02%;;;0;100 'irq'=0.00%;;;0;100 'nice'=0.00%;;;0;100 'softirq'=0.00%;;;0;100 'steal'=0.12%;;;0;100 'system'=0.08%;;;0;100 'user'=0.10%;;;0;100 'utilization'=0.33%;;;0;100

You now have configured your Infrastructure Agent to use self-signed SSL certificates with Opsview service checks.