CHECK_NRPE: Error - Could not complete SSL handshake.

[alberto.alonso]

Hello

I'm pretty new at Nagios and I'm having a problem when installing the NRPE plugin in Centos.

I have a monitoring server (its hostname is wizzo-int-monitoring0) where I have installed:
- Nagios-4.0.7 <--- it works fine, as I am seeing the remote host
- Nagios-plugins-2.0.3
- NRPE-2.15


In the remote server (its hostname is wizzo-int-read3), I have installed:
- sudo yum -y install openssl-devel gcc xinetd make
- Nagios-plugins-2.0.3
- NRPE-2.15

Moreover, in the remote server, I have made some changes in the following files:

- In /etc/xinetd.d/nrpe I have added only_from = 127.0.0.1 wizzo-int-monitoring0
- In /etc/services I have added the line: nrpe 5666/tcp # NRPE
- In /etc/hosts.allow I have added the line: nrpe: 127.0.0.1 wizzo-int-monitoring0

I have also modified the iptables:
- sudo iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
- sudo service iptables save

In the remote server, If i type /usr/local/nagios/libexec/check_nrpe -H localhost
I get NRPE v2.15 <---- what it's correct

But If I type in the monitoring server /usr/local/nagios/libexec/check_nrpe -H wizzo-int-read3
I get CHECK_NRPE: Error - Could not complete SSL handshake.


If I modify the etc/xinetd.d/nrpe and change wizzo-int-monitoring0 by its IP address, it works. But I need to use the hostname, as it can change.

What am i doing wrong?
What do i have to do to be able to use hostnames in the /etc/xinetd.d/nrpe file?
I am getting crazy and I dont know what else to do.

Thanks a lot in advance

PS. I tried to post this issue in a different section, maybe it should be here "Nagios Plugin Development", it seems more concrete than Nagios Core"

[sreinhardt]

Hostnames might play a roll in this, especially if it pseudo-dynamically recerts for incoming connections, but thats not too likely. Are the system times correct and set the same on both systems? Are the nrpe and actual hostnames matching? Does wizzo-int-read3 and wizzo-int-monitoring0 resolve correctly internally?

Wait a second, after a reread, are you attempting to use hostnames within the allow from directive in the nrpe xinetd config? That will not work from my understanding, as we and xinetd should not attempt to do dns resolution, but require an IP. So this very well may be the issue if thats the case.

[alberto.alonso]

Thanks for your answer sreinhardt.

Wizzo-int-read3 resolves wizzo-int-monitoring0 perfectly and the other way around. I mean, if you log in wizzo-int-read3 server, and you ping wizzo-int-monitoring0, it is resolved with no problem.

In file /etc/xinetd.d/nrpe i have added the my monitoring server. It looks like this:

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 wizzo-int-monitoring0
}

[lmiltchev]

It's probably obvious, but I need to ask this - did you restart xinetd after modifying the "/etc/xinetd.d/nrpe" file?

Code: Select all

service xinetd restart

[Box293]

You asked the same question here:
http://support.nagios.com/forum/viewtop ... 26#p109271

What happened when you tried:

In /etc/xinetd.d/nrpe try only_from = 127.0.0.1 wizzo-int-monitoring0.your.fqdn

From what I understand, it needs to be able to do a reverse DNS lookup on the IP address that is sending the NRPE request and it has to match wizzo-int-monitoring0.your.fqdn.

For example:

Code: Select all

host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer google-public-dns-a.google.com.

host google-public-dns-a.google.com
google-public-dns-a.google.com has address 8.8.8.8
google-public-dns-a.google.com has IPv6 address 2001:4860:4860::8888