Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

CHECK_NRPE: Error - could not complete SSL handshake

https://support.nagios.com/forum/viewtopic.php?t=1925

Page 1 of 1

CHECK_NRPE: Error - could not complete SSL handshake

Posted: Wed Mar 23, 2011 10:42 am
by jovin
So, when running check_nrpe command - I get this:

Code: Select all

[nagios_user@nagios objects]$ /usr/local/nagios/libexec/check_nrpe -H "client's IP"
CHECK_NRPE: Error - Could not complete SSL handshake.
I've got the file /etc/xinetd.d/nrpe configured and other things. The only thing that works is when I comment out the line all:all on the hosts.deny

Code: Select all

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
# all:all
Once commented out and try running the check_nrpe command, I get a good result

Code: Select all

[nagios_user@nagios objects]$ /usr/local/nagios/libexec/check_nrpe -H "client's IP"
NRPE v2.12
I've tried modifying the hosts.allow and added the IP address of the nagios server:

Code: Select all

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
sshd: 192.168.24.0/255.255.255.0
sendmail: all
Any suggestions on how to allow the SSL handshake with commenting out the all:all on the hosts.deny file?

Thanks....

Re: CHECK_NRPE: Error - could not complete SSL handshake

Posted: Wed Mar 23, 2011 1:06 pm
by tonyyarusso
I don't see any rule for NRPE in your hosts.allow - only SSH and SMTP.

Re: CHECK_NRPE: Error - could not complete SSL handshake

Posted: Wed Mar 23, 2011 1:07 pm
by jovin
Sorry, here you are:

Code: Select all

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
nrpe: IP address of nagios server
sendmail: all

Re: CHECK_NRPE: Error - could not complete SSL handshake

Posted: Wed Mar 23, 2011 2:29 pm
by tonyyarusso
nrpe is actually defined in /etc/services, right? Do you have logging enabled from tcpwrappers?

Re: CHECK_NRPE: Error - could not complete SSL handshake

Posted: Wed Mar 23, 2011 3:12 pm
by jovin
from my end, nrpe in /etc/xinetd.d Do I have tcpwrappers enabled - I don't believe so. How do I double check that? Sorry, my knowledge of nagios is fairly limited. I've just configured nagios not too long ago.

The system works if I don't have anything on the hosts.allow/deny on the client side. But, I'm working on a client that requires it (at least I've been told that it does).

Re: CHECK_NRPE: Error - could not complete SSL handshake

Posted: Wed Mar 23, 2011 4:14 pm
by tonyyarusso
For the services definition, what I mean is that you should see a stanza like this in the /etc/services file:

Code: Select all

# Nagios services
nrpe    5666/tcp
nsca    5667/tcp
ndo2db          5668/tcp
This is what lets things like tcpwrappers convert the human-readable names to port numbers, so I want to check that you have that, since without it your allow statement will be useless.

Re: CHECK_NRPE: Error - could not complete SSL handshake

Posted: Wed Mar 23, 2011 4:54 pm
by jovin
Then only thing that I've added on /etc/services is this line

Code: Select all

pcanywherestat  5632/udp                        # pcANYWHEREstat
nrpe            5666/tcp                        # NRPE
amqp            5672/tcp                        # AMQP
After checking the file - yes, I don't have both the nsca 5667/tcp and ndo2db5668/tcp

I can check to see that nrpe 5666/tcp is running fine

Code: Select all

netstat -at | grep nrpe
tcp        0      0 *:nrpe                      *:*                         LISTEN

netstat -plan | grep 5666
tcp        0      0 0.0.0.0:5666                0.0.0.0:*                   LISTEN      8379/xinetd
What am I missing? Thanks for helping.

Re: CHECK_NRPE: Error - could not complete SSL handshake

Posted: Sat Mar 26, 2011 11:23 am
by mguthrie
Check to make sure both machines have openssl and openssl-devel installed. Depending on your installation method these might be missing and can cause that error.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited