The problem
When using check_nrpe version 4.0.3 (or later) you are required to have a 2048 bit Diffie-Hellman key on the target host. NSClient++ (as of the current version 0.5.2.35) only provides a 512 bit key.
Solution
To solve this, generate a new key and use it instead of the pre-generated key.
Generate the new key
On your OP5 Monitor server, run the following command to generate the key:
# openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'
This may take several minutes. When it is done, it will produce a key looking similar to this one:
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA9ScyVoVj7FaW/0+V1hrbiZhIEHJL+XgDDKhgMKMT9rtaEGSHfagr
TaqQqCIh54mQhbM73Jd9HaFGoKzgHcWvzJDA4tjErYF/4ZJIPrYs3USqYqFCq/Xf
F63DlgDSAFNIzjUum7KQ5l+yxy7eVgqJC+tR9CFvLpte0PPIwm7QU+Em49OaImqr
/+9Pf1N0u9/vaNlME5rLfqt/YROB+nw+hvTMwOw3v9gBlQfV0F4VMRAq1Lgk4+x5
Vw/2EkD/+CVwCtrfwp/WyTyOsHi+lktdRmnePx1PrTnPz1/JvUSF2nFul+Zy6ySQ
qHKaKq1rw2K1Q7urw2Dsm7uhv/beHcuZCwIBAg==
-----END DH PARAMETERS-----
Install the new key on your host
You need to copy the text displayed when generating the key and paste it to a new file on your host. This file should be named C:\Program Files\NSClient++\security\nrpe_dh_2048.pem. Adjust the path if your NSClient++ installation is located somewhere else on the disk.
Enable the new key
Open the command line on your host and run the following command from the directory of your NSClient++ installation:
.\nscp.exe settings --path /settings/NRPE/server --key dh --set "C:\Program Files\NSClient++\security\nrpe_dh_2048.pem"
Restart NSClient++
Stop and start the client:
net stop nscp
net start nscp
Test the new key
Run the following on your OP5 Monitor server to verify that it is now working:
# /opt/plugins/check_nrpe -H <IP>
(Replace <IP> with the actual address of your host.)
Additional steps
If you get the error "CHECK_NRPE: Invalid packet version received from server.", then you will need to add the option -2 to your check_command.
Comments
0 comments
Please sign in to leave a comment.