nrpe installation fails

[jeremy.garman]

Hello all.
I've got a standard RHEL 6.2 server on which I'm trying to install NRPE.
I've done this a bunch of times already successfully, so I'm really confused why this one is giving me so much grief!
I've followed pretty much every online step-by-step that I can locate, and none seem all that good.
I've downloaded both the nrpe 2.15 client and nrpe plugins 1.4.16 (and have used both previously), untared them in their own installation directories.
I've configured the plugins with the nagios user that I created, and configured the client with openssl and libraries (which are installed) and with enabled command arguments, and run through all the make commands.
I've modified the nrpe.cfg file, adding the nagios server and the allowed hosts and changing don't-blame-nagios to 1.
I've tried running nrpe as a daemon and under xinetd, and in both cases, (after modifying the /etc/xinetd.d/nrpe file) eventhough a netstat will show the server listening on port 5666 (which I added in the /etc/services files),
when I try to check_nrpe on the localhost, I get either:
"CHECK_NRPE: Error - Could not complete SSL handshake"
or a permissions error, connection refused port 5666
I cannot telnet from the Nagios server to this client using port 5666. In the services GUI, in system administration, I've verified that NRPE is using Xinetd to run, so it ought to be using the /etc/xinetd.d/nrpe config file...

Am I missing something? Does anyone have a better installation guide for RHEL 6.2 64-bit?

Thanks in advance!

[12csd]

Is the server where you installed nrpe firewalled?
iptables -nvL

Or does the service listen to 127.0.0.1:5666?
netstat -tpln

[jeremy.garman]

Hi 12csd.

No the server isn't firewalled (I've removed both iptables and selinux from the equation).
[root@server libexec]# sestatus
SELinux status: disabled
[root@server libexec]# service iptables status
iptables: Firewall is not running.

Yes the server is listening at 5666:
netstat -at |grep nrpe
tcp 0 0 *:nrpe *:* LISTEN

netstat -tlpn
tcp 0 0 :::5666 :::* LISTEN 9823/xinetd

Here's the contents of /etc/xinetd.d/nrpe (I've verified the /etc/services entry for port 5666, and I've verified both the username/group and the paths, and the server IP address listed in the config file):
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 192.168.110.105
}

The only field in the nrpe.cfg file that I modified is changing the don't-blame-nrpe value to 1 (from default 0)

and when I try to test the connection, this what I get:
[root@server libexec]# /usr/local/nagios/libexec/check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.

[jeremy.garman]

Interesting development. Just futzing around in general, and I put an entry into the /etc/hosts.allow config file :
nrpe: 127.0.0.1 lmnagios.lmgroup.com

Now I can successfully test with the loopback address:
[root@server libexec]# ./check_nrpe -H 127.0.0.1
NRPE v2.15

I still can't successfully test with either localhost or the server's IP address:
[root@server libexec]# ./check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.
[root@server libexec]# ./check_nrpe -H 13.226.19.99
CHECK_NRPE: Error - Could not complete SSL handshake.

Is this good enough?

[abrist]

What does /etc/hosts look like? You may need to map localhost and the server's ip to 127.0.0.1:

Code: Select all

cat /etc/hosts

[jeremy.garman]

Here's the output:
[root@server ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

The thing is, this isn't the first RHEL system I've setup, its just been awhile and the last few were a bit of a hack (but all work fine). I've never had to maneuver this much to get them to work before, so I'm not sure what the deal is...?

[jeremy.garman]

Incidentally, here's the NRPE installation process that I had followed for RHEL 6.2 client installation, which isn't working (the Nagios server end has been setup for quite some time):
1. yum install openssl openssl-devel xinetd gcc (and some others, most of which are already setup on OS install)
2. FTP client file (nrpe-2.15.tar) and plugin file (nagios-plugins-1.4.16.tar) to client device, placing in /opt/nagios/nrpe and /opt/nagios/plugins respectively
3. untar both files in their respective directories
4. create nagios user ("useradd nagios")
5. in Plugins directory, run "./configure --with-nagios-user=nagios --with-nagios-group=nagios"
6. when complete, run "make" and "make install"
7. from nrpe directory, run "./configure --enable-command-args"
8. when complete, run "make all", "make install-plugin", "make install-daemon" and "make install-daemon-config"
9. chown working directory: "chown nagios.nagios /usr/local/nagios" and subdirectory "chown -R nagios.nagios /usr/local/nagios/libexec"
10. run "vim /usr/local/nagios/etc/nrpe.cfg" and only change the value of don't_blame_nrpe to 1 from 0
11. run "vim /etc/services" and enter the appropriate line "nrpe 5666/tcp #NRPE"
12. run "vim /etc/xinetd.d/nrpe" and add the server IP address to the only_from line, and ensure the port value is set to 5666 and that the server paths are correct
13. run "service xinetd restart"
14. testing by running "/usr/local/nagios/libexec/check_nrpe -H localhost"

Does this seem reasonable, or am I missing a step or 6? : )

[slansing]

Honestly I'd recommend using our agent install package which will set up users, install pre-reqs, and plugins all in one. That way you don't have to worry out miscompiling, or switching steps:

http://assets.nagios.com/downloads/nagi ... _Agent.pdf

However, if you've already ran into issues and have a half compiled copy of NRPE and plugins you will want to cleanse that out first.

[jeremy.garman]

That's a Nagios XI agent for CentOS 5 and 6. I'm running Nagios Core 3.4.1 and the client is RHEL 6.2
Is the compatibility close enough?
No issues about removing files from previous attempts. As the system I'm trying to setup is a critical production virtual server, I cloned it and am working off of that. I'll blow away the clone, reclone and try this agent install package before applying it to the production server. : )

[slansing]

Yes it should install fine on RHEL and should be compatible with core as it is just the agent install. We just wrapped it up in XI documentation for ease of installation and configuration. I'd give it a shot!