When using check_nrpe version 4.0.3 (or later) you are required to have a 2048 bit Diffie-Hellman key on the target host. NSClient++ (as of the current version 0.5.2.35) only provides a 512 bit key.
To solve this, generate a new key and use it instead of the pre-generated key.
Generate the new key
On your OP5 Monitor server, run the following command to generate the key:
# openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
This may take several minutes. When it is done, it will produce a key looking similar to this one:
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
Install the new key on your host
You need to copy the text displayed when generating the key and paste it to a new file on your host. This file should be named C:\Program Files\NSClient++\security\nrpe_dh_2048.pem. Adjust the path if your NSClient++ installation is located somewhere else on the disk.
Enable the new key
Open the command line on your host and run the following command from the directory of your NSClient++ installation:
.\nscp.exe settings --path /settings/NRPE/server --key dh --set "C:\Program Files\NSClient++\security\nrpe_dh_2048.pem"
Stop and start the client:
net stop nscp
net start nscp
Test the new key
Run the following on your OP5 Monitor server to verify that it is now working:
# /opt/plugins/check_nrpe -H <IP>
(Replace <IP> with the actual address of your host.)
If you get the error "CHECK_NRPE: Invalid packet version received from server.", then you will need to add the option -2 to your check_command.