OP5 Monitor - How to Implement SSL for OP5/NRPE on Linux with self-signed certificates

This article outlines, using examples, how you would secure your OP5 Linux monitoring with SSL.

In general, the paths and names of the certificate files used are arbitrary, as long as the same paths are specified in your nrpe.cfg file and nrpe command line.

Prerequisites

It is presumed that you have the NRPE agent and Nagios plugins installed on any client machines that you wish to monitor.

You will need OpenSSL, which in turn has the requirement of some development tools. There are many guides to be found that explain the process of installing OpenSSL on the internet. You should install the latest supported version available for your system. 

Create a Certificate Authority (CA)

If you are wanting to require SSL certificates for NRPE checks using self-signed certificates, you will need to first create your own certificate authority. In this example case, this will be done on the OP5 monitor with arbitrary hostname op5server.

Firstly, on the OP5 monitor, create the CA key.

Remember the passphrase you enter here, as it will be needed later when signing your client certificates.

[root@op5server]# openssl genrsa -aes128 -out /etc/pki/tls/private/myCA.key 2048


Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
..........................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for myCA.key:
Verifying - Enter pass phrase for myCA.key:

Now using this key, create the Certificate Authority certificate

[root@op5server]# openssl req -new -x509 -days 1825 -key \
/etc/pki/tls/private/myCA.key -out /etc/pki/tls/certs/myCA.crt

Enter pass phrase for /etc/pki/tls/private/myCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:Cymru
Locality Name (eg, city) [Default City]:Caerdydd
Organization Name (eg, company) [Default Company Ltd]:ITRS
Organizational Unit Name (eg, section) []:CS
Common Name (eg, your name or your server's hostname) []:OP5-Rocky
Email Address []:hgriffiths@itrsgroup.com

You can do this is a non-interactive mode by using the -subj option

[root@op5server]# openssl req -new -x509 -days 1825 \
 -key /etc/pki/tls/private/myCA.key \
 -out /etc/pki/tls/certs/myCA.crt \
 -subj "/C=GB/ST=Cymru/L=Caerdydd/O=ITRS/OU=CS/CN=cslab.ldn.itrs"

Enter pass phrase for /etc/pki/tls/private/myCA.key:

Create a local client certificate using this CA

On this OP5 master, we will want to self monitor and therefore will need our own client certificate.

Create a client private key

[root@op5server]# openssl genrsa -out /etc/pki/tls/private/op5client.key 2048

Check the permission of the new key and chmod if necessary, as it will need to be readable by the nrpe process.

[root@op5server]#  chmod 644 /etc/pki/tls/private/op5client.key

Now generate a CSR (Certificate Signing Request) 

Note that the common name (CN) attribute must not be the same as for the CA certificate  (CA was set to cslab.ldn.itrs, Client below is set to huw-v9rocky01.cslab.ldn.itr)

Using the same CN will lead to the following error in the nrpe log:

Could not complete SSL handshake with ::1: tlsv1 alert unknown ca

[root@op5server]#  openssl req -new -key /etc/pki/tls/private/op5client.key \
 -out /etc/pki/tls/op5client.csr \
 -subj "/C=GB/ST=Cymru/L=Caerdydd/O=ITRS/OU=CS/CN=huw-v9rocky01.cslab.ldn.itrs"

Sign the client certificate

[root@op5server]# openssl x509 -req -in /etc/pki/tls/op5client.csr \
-CA /etc/pki/tls/certs/myCA.crt \
-CAkey /etc/pki/tls/private/myCA.key -CAcreateserial \
-out /etc/pki/tls/certs/op5client.crt -days 730

Set certificate paths and require client certificates in /etc/nagios/nrpe.cfg


ssl_cacert_file=/etc/pki/tls/certs/myCA.crt
ssl_cert_file=/etc/pki/tls/certs/op5client.crt
ssl_privatekey_file=/etc/pki/tls/private/op5client.key

# SSL USE CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates (default)
# 1 = Ask for client certificates
# 2 = Require client certificates

ssl_client_certs=2

Restart the NRPE service

[root@op5server]# systemctl restart nrpe

Test by running a local nrpe check.

(In this case, we are both server and client.)

[root@op5server]# /opt/plugins/check_nrpe -H 127.0.0.1
CHECK_NRPE: Error sending query to host.

Now test, specifying the newly created certificates.

[root@op5server]# /opt/plugins/check_nrpe -A /etc/pki/tls/certs/myCA.crt \
 -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H 127.0.0.1

NRPE v4.1.0

Setup Remote Client Certificates

Copy the CA certificate to the remote client. e.g.

[root@op5server]#  scp /etc/pki/tls/certs/myCA.crt remote_client:/etc/pki/tls/certs/myCA.crt

Either create a new client key, signing request and certificate as done previously, or simply copy the key and certificate. e.g.

[root@op5server]# scp /etc/pki/tls/private/op5client.key remote_client:/etc/pki/tls/private/op5client.key
[root@op5server]# scp /etc/pki/tls/certs/op5client.crt remote_client:/etc/pki/tls/certs/op5client.crt

Either modify nrpe.cfg on the client (as done previously)  or copy it over. e.g.

[root@op5server]# scp /etc/nagios/nrpe.cfg remote_client:/etc/nagios/nrpe.cfg

Restart the NRPE service

[root@remote_client ]# systemctl restart nrpe

Test the client SSL connection from the server with and without certificates.

[root@op5server]# /opt/plugins/check_nrpe  -H remote_client -c root_disk
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 172.16.1.129: 1

[root@op5server]# /opt/plugins/check_nrpe -A /etc/pki/tls/certs/myCA.crt \
-C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H remote_client -c root_disk

DISK OK - free space: / 26067 MB (89.39% inode=100%);| /=3093MB;23328;26244;0;29161

Edit the check_nrpe command line in the OP5 GUI to include the additional certificate arguments

Command line for check_nrpe should now read:

$USER1$/check_nrpe -A /etc/pki/tls/certs/myCA.crt -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H $HOSTADDRESS$ -c $ARG1$

Click on Test this Command and then Test this Check

Test this check will complain about a missing argument

_USER1_/check_nrpe -A /etc/pki/tls/certs/myCA.crt -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H $HOSTADDRESS$ -c 
Result code: 3
ERROR OUTPUT:
/opt/plugins/check_nrpe: option requires an argument -- 'c'

Remove the -c $ARG1$ from the Test this Check command line and change $HOSTADDRESS$  to localhost

_USER1_/check_nrpe -A /etc/pki/tls/certs/myCA.crt -C /etc/pki/tls/certs/op5client.crt -K /etc/pki/tls/private/op5client.key -H localhost
Result code: 0
NRPE v4.1.0

If the check completes successfully, you should save the command with the Submit button

If you have any further questions:

• Please contact with our Client Services team via the chat service box available in any of our websites or via email to support@itrsgroup.com
  
  
  
• Make sure you provide to us:
  • ANY LOG FILE OR DIAGNOSTIC
  • ANY SCREENSHOT