Could not complete SSL handshake error on Solaris 10 client

[plakshmi]

Nagios Team,

We have installed Nagios client on Solaris 10 machine as per attached procedure. But, we are getting error "CHECK_NRPE: Error - Could not complete SSL handshake."

We checked the document http://assets.nagios.com/downloads/nagi ... utions.pdf : Section III thoroughly.

We have tried everything except reinstalling nrpe with SSL option. We are not aware how to uninstall nrpe 2.14 from Solaris 10 machine and try reinstall using SSL option.

Please advice us on how to go about from here.


Below is the output from nagios server and client.

#####################################################################################################
From Solaris client
#####################################################################################################

(nagios@usa0300ux320)/u01/home/nagios-> ps -ef|grep nrpe
nagios 1536 1 0 Sep 11 ? 2:14 /opt/nagios/bin/nrpe -c /etc/nagios/nrpe.cfg -d
nagios 27857 27519 0 05:35:14 pts/10 0:00 grep nrpe

(nagios@usa0300ux320)/u01/home/nagios-> svcs -a|grep nrpe
online Sep_11 svc:/application/nagios/nrpe:default

(nagios@usa0300ux320)/u01/home/nagios-> netstat -an|grep 5666
*.5666 *.* 0 0 49152 0 LISTEN

(nagios@usa0300ux320)/u01/home/nagios-> cat /etc/nagios/nrpe.cfg|grep allowed
# that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
allowed_hosts=13.129.109.69,127.0.0.1

(nagios@usa0300ux320)/u01/home/nagios-> cat /etc/nagios/nrpe.cfg|grep blame
dont_blame_nrpe=1
# command arguments *AND* the dont_blame_nrpe directive in this

(nagios@usa0300ux320)/u01/home/nagios-> telnet localhost 5666
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection to localhost closed.

(nagios@usa0300ux320)/u01/home/nagios-> cd /opt/nagios/libexec

(nagios@usa0300ux320)/opt/nagios/libexec-> ls -l check_nrpe
-rwxr-xr-x 1 nagios bin 56016 Jan 18 2013 check_nrpe

(nagios@usa0300ux320)/opt/nagios/libexec-> ./check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.]

#####################################################################################################
From nagios server: 13.129.109.69
#####################################################################################################

-bash-3.2$ telnet usa0300ux320 5666
Trying 13.129.12.64...
Connected to usa0300ux320.apps.mc.xerox.com (13.129.12.64).
Escape character is '^]'.
^]
telnet> quit
Connection closed.

-bash-3.2$ cd /usr/local/nagios/libexec/
-bash-3.2$ ls -l check_nrpe
-rwxrwxr-x 1 nagios nagios 66381 Jan 15 2013 check_nrpe

-bash-3.2$ ./check_nrpe -t 60 -H usa0300ux320
CHECK_NRPE: Error - Could not complete SSL handshake.

-bash-3.2$ ./check_nrpe -n -t 60 -H usa0300ux320
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

-bash-3.2$ nmap 13.129.12.64 -p 5666

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-10-01 06:52 EDT
Interesting ports on usa0300ux320.apps.mc.xerox.com (13.129.12.64):
PORT STATE SERVICE
5666/tcp open unknown

#####################################################################################################
#####################################################################################################

[slansing]

do you have dont_blame_nrpe set to 1 in the nrpe.cfg of the remote system? If not make that change, and restart the daemon, either xinetd or what you are using, then try to run the check command with a -n again.

[plakshmi]

Thanks for your reply.

Yes, we do have dont_blame_nrpe set to 1 in nrpe.cfg on the remote host. The remote host is Solaris 10.

I guess Solaris uses inetd service not xinetd. Am I right?

If that is the case, do we need to restart inetd deamon. We generally restart the below nrpe service but never restarted inetd.

(nagios@usa0300ux320)/u01/home/nagios-> svcs -a|grep nrpe
online Sep_19 svc:/application/nagios/nrpe:default

[slansing]

Well if nrpe is starting as a service itself you should only need to restart that, which is calling the init script itself. Do you have your nagios XI server's address defined in the allowed_from line in the nrpe.cfg? Also, have you tried the direct IP of the Solaris server instead of the address you are using? Does it make a difference? Keep in mind to try all commands with "-n" and without as well.

[plakshmi]

Well if nrpe is starting as a service itself you should only need to restart that, which is calling the init script itself. Do you have your nagios XI server's address defined in the allowed_from line in the nrpe.cfg? Also, have you tried the direct IP of the Solaris server instead of the address you are using? Does it make a difference? Keep in mind to try all commands with "-n" and without as well.

Good insight. Yes, we do have the nagios server IP in allowed_from in nrpe.cfg. Today we have restarted inetd service on the remote host. Now, all manual checks are working fine from default plugin folder on nagios server (did not use -n option). So, finally looking good

Everything works fine except the command $check_nrpe -H <hostname/IP> from client end (tried -n option, replaced hostname with IP and vice versa) . The same command works fine in nagios server. Just curious to know.

[scottwilkerson]

Everything works fine except the command $check_nrpe -H <hostname/IP> from client end (tried -n option, replaced hostname with IP and vice versa) . The same command works fine in nagios server. Just curious to know.

Not exactly sure what command you are using because usually you need something like

Code: Select all

/path/to/check_nrpe -H <hostname/IP>

not

Code: Select all

$check_nrpe -H <hostname/IP>

[plakshmi]

Yes, you are right.

Thanks for your support.

[plakshmi]

We have Nagios up and running now on the remote host and monitoring has been established.

[slansing]

Excellent, what was the resolution? Incorrect pathing?

[plakshmi]

Restarting inetd service on the remote host resolved the issue.