Bug 1470684

Summary: NRPE stopped working using SSL
Product: [Fedora] Fedora Reporter: Timo Schoeler <timo>
Component: nrpeAssignee: Stephen John Smoogen <smooge>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 26CC: athmanem, b.heden, jose.p.oliveira.oss, kmf, ondrejj, redhat, smooge, smooge, s, swilkerson, timo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nrpe-3.2.0-3.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-09 15:53:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Timo Schoeler 2017-07-13 12:57:03 UTC 
Description of problem:

NRPE stopped working after upgrading from F25 to F26.


Version-Release number of selected component (if applicable):

Name         : nrpe
Version      : 3.1.1
Release      : 1.fc26
Arch         : x86_64
Size         : 337 k
Source       : nrpe-3.1.1-1.fc26.src.rpm
Repo         : @System
From repo    : updates


How reproducible:

Upgrade F25 system to F26, watch it fail.


Logfile says:

Jul 13 14:55:38 FQDN nrpe[21511]: Error: Could not complete SSL handshake with 1.2.3.4: 1


Debian seems to have this issue, too: 

https://github.com/NagiosEnterprises/nrpe/issues/113
Comment 1 Stephen John Smoogen 2017-07-13 13:10:48 UTC 
Please try the version in testing which may fix the issue or give more information on the problem. One of the issues that has come up is that older nrpe clients are trying to talk SSL which current openssl no longer supports. The only fix for that is updating the client.
Comment 2 Timo Schoeler 2017-07-13 13:38:59 UTC 
Updated to

Name         : nrpe
Version      : 3.1.1
Release      : 6.fc26
Arch         : x86_64
Size         : 337 k
Source       : nrpe-3.1.1-6.fc26.src.rpm
Repo         : @System
From repo    : updates-testing

Problem is persistent.

Our icinga2 server is running FreeBSD and OpenSSL 1.0.2l.

F25 had OpenSSL 1.0.2k-fips 26 Jan 2017, while F26 features OpenSSL 1.1.0f-fips 25 May 2017 – my first assumption was that due to the major change here something went south.
Comment 3 Stephen John Smoogen 2017-07-13 14:04:04 UTC 
Ok my first check would be to see if the client can talk to itself. I notice the clients are in FIPS mode. Is that by need, design or accident? [The reason is that FIPS lowers the number of available algorithms and what they can talk to.] If it is done on purpose, how are you doing it so I can try to replicate?

Thanks.
Comment 4 Stephen John Smoogen 2017-07-13 21:22:35 UTC 
OK talking with upstream shows it is going to take basically going to 3.2.1 to get openssl 1.1.0f fully functional. I will work on packaging that up and put it in a repo for you to test/work.
Comment 5 Timo Schoeler 2017-07-14 05:35:15 UTC 
Thanks a lot for your reply. Sorry for not answering you in a timely manner, I was out of office.

Best regards

Timo
Comment 6 Timo Schoeler 2017-07-14 05:37:52 UTC 
Regarding FIPS: All vanilla here.
Comment 7 Fedora Update System 2017-07-14 21:35:03 UTC 
nrpe-3.2.0-1git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-487a01f0be
Comment 8 Stephen John Smoogen 2017-07-14 21:37:11 UTC 
This should be fixed in the updates-testing in a day or 2.
Comment 9 Fedora Update System 2017-07-14 22:26:31 UTC 
nrpe-3.2.0-2git.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b30a5177e7
Comment 10 Fedora Update System 2017-07-16 21:21:58 UTC 
nrpe-3.2.0-2git.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b30a5177e7
Comment 11 Timo Schoeler 2017-07-18 04:59:53 UTC 
Thanks a lot, Stephen! That solved the issue.

Best regards

Timo
Comment 12 Fedora Update System 2017-07-19 19:39:08 UTC 
nrpe-3.2.0-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-47d1a274d4
Comment 13 Fedora Update System 2017-07-21 01:22:01 UTC 
nrpe-3.2.0-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-47d1a274d4
Comment 14 Stephen John Smoogen 2017-08-07 17:31:52 UTC 
*** Bug 1478997 has been marked as a duplicate of this bug. ***
Comment 15 Gerhard Wiesinger 2017-08-07 18:45:53 UTC 
Works well. Please put this to stable, because current stable version is not working.

# nagios server
dnf --enablerepo updates-testing update nagios-plugins-nrpe\*
systemctl restart nagios

# nrpe hosts
dnf --enablerepo updates-testing update nrpe\*
systemctl restart nrpe
Comment 16 Fedora Update System 2017-08-09 15:53:51 UTC 
nrpe-3.2.0-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.