CHECK_NRPE: Error - could not complete SSL handshake

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

CHECK_NRPE: Error - could not complete SSL handshake

Postby jovin » Wed Mar 23, 2011 10:42 am

So, when running check_nrpe command - I get this:
Code: Select all
[nagios_user@nagios objects]$ /usr/local/nagios/libexec/check_nrpe -H "client's IP"
CHECK_NRPE: Error - Could not complete SSL handshake.


I've got the file /etc/xinetd.d/nrpe configured and other things. The only thing that works is when I comment out the line all:all on the hosts.deny
Code: Select all
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
# all:all


Once commented out and try running the check_nrpe command, I get a good result
Code: Select all
[nagios_user@nagios objects]$ /usr/local/nagios/libexec/check_nrpe -H "client's IP"
NRPE v2.12


I've tried modifying the hosts.allow and added the IP address of the nagios server:
Code: Select all
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
sshd: 192.168.24.0/255.255.255.0
sendmail: all


Any suggestions on how to allow the SSL handshake with commenting out the all:all on the hosts.deny file?

Thanks....
jovin
 
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

Re: CHECK_NRPE: Error - could not complete SSL handshake

Postby tonyyarusso » Wed Mar 23, 2011 1:06 pm

I don't see any rule for NRPE in your hosts.allow - only SSH and SMTP.
Tony Yarusso
Technical Services
___
TIES
Web: http://ties.k12.mn.us/
tonyyarusso
 
Posts: 1128
Joined: Wed Mar 03, 2010 12:38 pm
Location: St. Paul, MN, USA

Re: CHECK_NRPE: Error - could not complete SSL handshake

Postby jovin » Wed Mar 23, 2011 1:07 pm

Sorry, here you are:

Code: Select all
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
nrpe: IP address of nagios server
sendmail: all
jovin
 
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

Re: CHECK_NRPE: Error - could not complete SSL handshake

Postby tonyyarusso » Wed Mar 23, 2011 2:29 pm

nrpe is actually defined in /etc/services, right? Do you have logging enabled from tcpwrappers?
Tony Yarusso
Technical Services
___
TIES
Web: http://ties.k12.mn.us/
tonyyarusso
 
Posts: 1128
Joined: Wed Mar 03, 2010 12:38 pm
Location: St. Paul, MN, USA

Re: CHECK_NRPE: Error - could not complete SSL handshake

Postby jovin » Wed Mar 23, 2011 3:12 pm

from my end, nrpe in /etc/xinetd.d Do I have tcpwrappers enabled - I don't believe so. How do I double check that? Sorry, my knowledge of nagios is fairly limited. I've just configured nagios not too long ago.

The system works if I don't have anything on the hosts.allow/deny on the client side. But, I'm working on a client that requires it (at least I've been told that it does).
jovin
 
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

Re: CHECK_NRPE: Error - could not complete SSL handshake

Postby tonyyarusso » Wed Mar 23, 2011 4:14 pm

For the services definition, what I mean is that you should see a stanza like this in the /etc/services file:
Code: Select all
# Nagios services
nrpe    5666/tcp
nsca    5667/tcp
ndo2db          5668/tcp

This is what lets things like tcpwrappers convert the human-readable names to port numbers, so I want to check that you have that, since without it your allow statement will be useless.
Tony Yarusso
Technical Services
___
TIES
Web: http://ties.k12.mn.us/
tonyyarusso
 
Posts: 1128
Joined: Wed Mar 03, 2010 12:38 pm
Location: St. Paul, MN, USA

Re: CHECK_NRPE: Error - could not complete SSL handshake

Postby jovin » Wed Mar 23, 2011 4:54 pm

Then only thing that I've added on /etc/services is this line
Code: Select all
pcanywherestat  5632/udp                        # pcANYWHEREstat
nrpe            5666/tcp                        # NRPE
amqp            5672/tcp                        # AMQP

After checking the file - yes, I don't have both the nsca 5667/tcp and ndo2db5668/tcp

I can check to see that nrpe 5666/tcp is running fine
Code: Select all
netstat -at | grep nrpe
tcp        0      0 *:nrpe                      *:*                         LISTEN

netstat -plan | grep 5666
tcp        0      0 0.0.0.0:5666                0.0.0.0:*                   LISTEN      8379/xinetd


What am I missing? Thanks for helping.
jovin
 
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

Re: CHECK_NRPE: Error - could not complete SSL handshake

Postby mguthrie » Sat Mar 26, 2011 11:23 am

Check to make sure both machines have openssl and openssl-devel installed. Depending on your installation method these might be missing and can cause that error.
mguthrie
 
Posts: 4384
Joined: Mon Jun 14, 2010 10:21 am


Return to Nagios Core

Who is online

Users browsing this forum: Google [Bot] and 21 guests