CHECK_NRPE: Error - Could not complete SSL handshake

[jeraisel]

Hello

I have the following problem.

I can´t seem to connect Nagios to the NRPE installed on the computers I want to monitor.
They don't appear on the Nagios Web interface, when I use the command "/usr/local/nagios/libexec/check_nrpe -H nagios_server -c check_users" on the remote machines I get the message "CHECK_NRPE: Error - Could not complete SSL handshake" and when I check the /var/log/messages here's what I get:

Code: Select all

Sep 27 18:11:59 SDTSMC xinetd[5405]: FAIL: nrpe address from=128.1.5.20
Sep 27 18:11:59 SDTSMC xinetd[3428]: START: nrpe pid=5405 from=128.1.5.20
Sep 27 18:11:59 SDTSMC xinetd[3428]: EXIT: nrpe status=0 pid=5405 duration=0(sec)

Here's what I've done:
- I have a virtual RHEL 5.5 on which I've installed Nagios
- I've followed the "Fedora quick start Installation guide"
- I've installed NRPE + Plugins (with option of --enable-ssl on the ./configure for the both) On two workstation, one virtual RHEL 5.5 and a physical Openfiler.
- to register the hosts on Nagios heres the file I'm using:

Code: Select all

define host{
	name				128.1.5.20	; IP
	use				generic-host	; This template inherits other values from the generic-host template
	check_period			24x7		; By default, Linux hosts are checked round the clock
	check_interval			5		; Actively check the host every 5 minutes
	retry_interval			1		; Schedule host check retries at 1 minute intervals
	max_check_attempts		10		; Check each Linux host 10 times (max)
        check_command           	check-host-alive ; Default command to check Linux hosts
	notification_period		workhours	; Linux admins hate to be woken up, so we only notify during the day
							; Note that the notification_period variable is being overridden from
							; the value that is inherited from the generic-host template!
	notification_interval		120		; Resend notifications every 2 hours
	notification_options		d,u,r		; Only send notifications for specific host states
	contact_groups			admins		; Notifications get sent to the admins by default
	register			0		; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
	}

define host{
	name				128.1.0.19	; IP
	use				generic-host	; This template inherits other values from the generic-host template
	check_period			24x7		; By default, Linux hosts are checked round the clock
	check_interval			5		; Actively check the host every 5 minutes
	retry_interval			1		; Schedule host check retries at 1 minute intervals
	max_check_attempts		10		; Check each Linux host 10 times (max)
        check_command           	check-host-alive ; Default command to check Linux hosts
	notification_period		workhours	; Linux admins hate to be woken up, so we only notify during the day
							; Note that the notification_period variable is being overridden from
							; the value that is inherited from the generic-host template!
	notification_interval		120		; Resend notifications every 2 hours
	notification_options		d,u,r		; Only send notifications for specific host states
	contact_groups			admins		; Notifications get sent to the admins by default
	register			0		; DONT REGISTER THIS DEFINITION - ITS NOT A REAL HOST, JUST A TEMPLATE!
	}

Here's what I've already checked:
- plugin version - 1.4.15
- nrpe - 2.12
- Core - 3.2.3
- file permissions on the /usr/local/nagios - nagios:nagios
- used the command: "/usr/local/nagios/libexec/check_nrpe -H localhost -c check_users" and it works fine
- the command "netstat -at | grep nrpe" returns "tcp 0 0 *:nrpe *:* LISTEN", so it's fine on both clients
- when I make "iptables -L" I only get the headers with no content, so I assume they aren't being used

I don't know what else to do.

Can anyone help me solve this?

Thank you in advance

Jeraisel

[crickel]

We're running into a related problem. It appears that this is a really old bug in NRPE related to this line:

http://nagios.svn.sourceforge.net/viewv ... iew=markup

Code: Select all

SSL_CTX_set_cipher_list(ctx,"ADH");

There's likely a mismatch between what SSL ciphers your server wants to use and what NRPE is trying. I've found posts elsewhere on the internet which seem to support this as well, and have patches available that might help you.

Our issue is that our vulnerability scans are picking up Export keys available on port 5666, which is what NRPE uses. That's because the 'ADH' cipher suite includes the 'EXP-ADH-DES-CBC-SHA' cipher.

Fundamentally the problem is that NRPE hasn't been updated since 2008, and it looks like no more patches are forthcoming. People must have migrated to something else, but I haven't figured out what happened just yet.

[mguthrie]

I would also check your /etc/xinetd.d/nrpe config and make sure that the host you're trying to communicate with is among the list of allowed IP addresses.

[jeraisel]

How do other users use Nagios and don't have this problem?
How do they connect to the hosts to monitor?
Do they only use the snmp and the services part of Nagios and not NRPE?
I will try the patches to see if they solve my problem. As for any security issue, as I'm working in a closed network (at least for now) it will have less impact.
thank you

[jeraisel]

thank you mguthrie, I had added the IP of the Nagios on the host but not the host on Nagios. It solved the handshake question.
do you know how to add IP ranges instead of adding IPs one by on?

[tonyyarusso]

NRPE does not support IP ranges when run natively as a daemon, but you can do this by using a superserver such as xinetd.

[jeraisel]

Hi crickel
I've changed the code on check_nrpe.c but get the same result.
plus, I added detail to the log of xinetd, now I can watch what happens on connections in /var/log/messages and /var/log/secure.
I reboot the nagios server and it doesn't register any message on either log. I do the check_nrpe on both ways and it works fine and logs the connection.

/var/log/messages

Code: Select all

Oct  7 17:50:50 TESTE_NAGIOS xinetd[3427]: START: nrpe pid=4132 from=128.1.0.19
Oct  7 17:50:50 TESTE_NAGIOS nrpe[4132]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Oct  7 17:50:50 TESTE_NAGIOS xinetd[3427]: EXIT: nrpe status=0 pid=4132 duration=0(sec)

It seems that nagios doesn't even try to connect to the nrpe on the host. If it did it would show on the logs... right?
Is there something wrong with the 'define host' that I posted earlier?
Is there another configuration that I'm missing?

[jeraisel]

Turns out that my problem was in the definition of the hosts and services to monitor.
That was why I couldn't find any hosts.

I opened another post with some questions relating to it, it can be fallowed in:
http://support.nagios.com/forum/viewtop ... f=7&t=2387

Thank you for those who helped.

[lyle]

FYI:

I just got the dreaded "CHECK_NRPE: Error - Could not complete SSL handshake" message, and found out it was a typo in my nrpe.cfg file on the client. I used a * instead of a # to precede a comment line.

The other times I've seen this message were a due to typos in my command definitions (wrong directory spec) in nrpe.cfg

So the error regarding SSL problems is a little misleading.

Hope this helps someone....Lyle