CHECK_NRPE: Error - could not complete SSL handshake

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
jovin
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

CHECK_NRPE: Error - could not complete SSL handshake

Post by jovin »

So, when running check_nrpe command - I get this:

Code: Select all

[nagios_user@nagios objects]$ /usr/local/nagios/libexec/check_nrpe -H "client's IP"
CHECK_NRPE: Error - Could not complete SSL handshake.
I've got the file /etc/xinetd.d/nrpe configured and other things. The only thing that works is when I comment out the line all:all on the hosts.deny

Code: Select all

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
# all:all
Once commented out and try running the check_nrpe command, I get a good result

Code: Select all

[nagios_user@nagios objects]$ /usr/local/nagios/libexec/check_nrpe -H "client's IP"
NRPE v2.12
I've tried modifying the hosts.allow and added the IP address of the nagios server:

Code: Select all

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
sshd: 192.168.24.0/255.255.255.0
sendmail: all
Any suggestions on how to allow the SSL handshake with commenting out the all:all on the hosts.deny file?

Thanks....
tonyyarusso
Posts: 1128
Joined: Wed Mar 03, 2010 12:38 pm
Location: St. Paul, MN, USA
Contact:

Re: CHECK_NRPE: Error - could not complete SSL handshake

Post by tonyyarusso »

I don't see any rule for NRPE in your hosts.allow - only SSH and SMTP.
Tony Yarusso
Technical Services
___
TIES
Web: http://ties.k12.mn.us/
jovin
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

Re: CHECK_NRPE: Error - could not complete SSL handshake

Post by jovin »

Sorry, here you are:

Code: Select all

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
nrpe: IP address of nagios server
sendmail: all
tonyyarusso
Posts: 1128
Joined: Wed Mar 03, 2010 12:38 pm
Location: St. Paul, MN, USA
Contact:

Re: CHECK_NRPE: Error - could not complete SSL handshake

Post by tonyyarusso »

nrpe is actually defined in /etc/services, right? Do you have logging enabled from tcpwrappers?
Tony Yarusso
Technical Services
___
TIES
Web: http://ties.k12.mn.us/
jovin
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

Re: CHECK_NRPE: Error - could not complete SSL handshake

Post by jovin »

from my end, nrpe in /etc/xinetd.d Do I have tcpwrappers enabled - I don't believe so. How do I double check that? Sorry, my knowledge of nagios is fairly limited. I've just configured nagios not too long ago.

The system works if I don't have anything on the hosts.allow/deny on the client side. But, I'm working on a client that requires it (at least I've been told that it does).
tonyyarusso
Posts: 1128
Joined: Wed Mar 03, 2010 12:38 pm
Location: St. Paul, MN, USA
Contact:

Re: CHECK_NRPE: Error - could not complete SSL handshake

Post by tonyyarusso »

For the services definition, what I mean is that you should see a stanza like this in the /etc/services file:

Code: Select all

# Nagios services
nrpe    5666/tcp
nsca    5667/tcp
ndo2db          5668/tcp
This is what lets things like tcpwrappers convert the human-readable names to port numbers, so I want to check that you have that, since without it your allow statement will be useless.
Tony Yarusso
Technical Services
___
TIES
Web: http://ties.k12.mn.us/
jovin
Posts: 8
Joined: Thu Nov 18, 2010 12:45 pm

Re: CHECK_NRPE: Error - could not complete SSL handshake

Post by jovin »

Then only thing that I've added on /etc/services is this line

Code: Select all

pcanywherestat  5632/udp                        # pcANYWHEREstat
nrpe            5666/tcp                        # NRPE
amqp            5672/tcp                        # AMQP
After checking the file - yes, I don't have both the nsca 5667/tcp and ndo2db5668/tcp

I can check to see that nrpe 5666/tcp is running fine

Code: Select all

netstat -at | grep nrpe
tcp        0      0 *:nrpe                      *:*                         LISTEN

netstat -plan | grep 5666
tcp        0      0 0.0.0.0:5666                0.0.0.0:*                   LISTEN      8379/xinetd
What am I missing? Thanks for helping.
mguthrie
Posts: 4380
Joined: Mon Jun 14, 2010 10:21 am

Re: CHECK_NRPE: Error - could not complete SSL handshake

Post by mguthrie »

Check to make sure both machines have openssl and openssl-devel installed. Depending on your installation method these might be missing and can cause that error.
Locked