CHECK_NRPE: Error - Could not complete SSL handshake

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
katya
Posts: 224
Joined: Mon Aug 18, 2014 9:07 am

CHECK_NRPE: Error - Could not complete SSL handshake

Post by katya »

Hi,

Can i get a little bit help here?

I'm configuring now check_http plugin on my Solaris producation machine (ssbpech01)
the command running prefactly from the server itself:

root@ssbpech01:/apps/nagios/libexec# pwd
/apps/nagios/libexec
root@ssbpech01:/apps/nagios/libexec# ./check_http --ssl -H 10.146.1.38 -p 8443 -u /echos/SSB -s ECHOS -t 20
HTTP OK: HTTP/1.1 200 OK - 3535 bytes in 0.685 second response time |time=0.684777s;;;0.000000 size=3535B;;;0

but on the dashboard for this service i got:
ECHOS EP1 URL CRITICAL 01-31-2017 12:02:43 1d 3h 42m 19s 3/3 CHECK_NRPE: Error - Could not complete SSL handshake.

please see my services.cfg for this:
define service{
use generic-service
host_name ssbpech01
service_description ECHOS EP1 URL
contact_groups nagios-admins
check_command check_nrpe!check_http
check_period 24x7_except_maintenance
notification_period 24x7_except_maintenance
check_interval 1
}

root@ssbpech01:/apps/nagios/libexec# /apps/nagios/libexec/check_nrpe -H 10.146.1.38
CHECK_NRPE: Error - Could not complete SSL handshake.
root@ssbpech01:/apps/nagios/libexec# netstat -a | grep nrpe
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55156 14720 0 50316 0 TIME_WAIT
ssbpech01.nrpe ssbpech01.46479 49152 0 49152 0 TIME_WAIT
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55218 14720 0 50316 0 TIME_WAIT
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55228 14720 0 50316 0 ESTABLISHED
*.nrpe *.* 0 0 49152 0 LISTEN
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55070 14720 0 50316 0 TIME_WAIT
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55080 14720 0 50316 0 TIME_WAIT
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55096 14720 0 50316 0 TIME_WAIT
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55098 14720 0 50316 0 TIME_WAIT
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55118 14720 0 50316 0 TIME_WAIT
ssbpech01.nrpe ssbpops01.ssb.sungard.com.55126 14720 0 50316 0 TIME_WAIT
root@ssbpech01:/apps/nagios/libexec#

Can you please help me here? dont understand why in the dashborad i got differnet expirance?
Last edited by katya on Tue Jan 31, 2017 12:13 pm, edited 1 time in total.
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by dwhitfield »

Page 3, Section III of https://assets.nagios.com/downloads/nag ... utions.pdf covers that error.

Are you using xinetd? If so, can you post the contents of /etc/xinetd.d/nrpe? Please remove sensitive info as necessary.
katya
Posts: 224
Joined: Mon Aug 18, 2014 9:07 am

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by katya »

HI im not using xinted im using nrpe service
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by dwhitfield »

Can you post your /usr/local/nagios/etc/nrpe.cfg from Solaris?

Also, did you go through the troubleshooting guide (https://assets.nagios.com/downloads/nag ... utions.pdf)? If so, I don't want to repeat those steps. Thanks!
katya
Posts: 224
Joined: Mon Aug 18, 2014 9:07 am

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by katya »

Hi,

of course i checked in the procedure before asked you :)

but the solution not helped me.

this is my nrpe.cfg configurtion:
Attachments
nrpe.cfg
nrpe.cfg
(10.68 KiB) Downloaded 347 times
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by rkennedy »

What happens if you run /apps/nagios/libexec/check_nrpe -H 10.146.1.38 -n from the Nagios machine? It looks like all teh SSL parts are commented out.

Additionally. from the client side, please run something similar to what I've posted against your NRPE binary, this will show us what SSL it's compiled with -

Code: Select all

[root@centos7 etc]# /usr/local/nagios/bin/nrpe

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
Former Nagios Employee
itquestion
Posts: 3
Joined: Fri Sep 23, 2016 2:31 am

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by itquestion »

I had similar problem with ssl handshake like yours.
http://sharadchhetri.com/2013/06/11/how ... t-command/
Try to fallow instructions fom step 1 to 5 and check if it is working. It was helpfull to me.
katya
Posts: 224
Joined: Mon Aug 18, 2014 9:07 am

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by katya »

from Nagios machine:

-bash-4.1# /usr/local/nagios/libexec/check_nrpe -H 10.146.1.38
CHECK_NRPE: Error - Could not complete SSL handshake.

from the client side:

root@ssbpech01:/# /apps/nagios/bin/nrpe

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
** Read the NRPE SECURITY file for more information **
***************************************************************

Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>

Options:
-n = Do not use SSL
<config_file> = Name of config file to use
-4 = use ipv4 only
-6 = use ipv6 only
<mode> = One of the following operating modes:
-i = Run as a service under inetd or xinetd
-d = Run as a standalone daemon
-d -s = Run as a subsystem under AIX

Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios. It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by rkennedy »

rkennedy wrote:What happens if you run /apps/nagios/libexec/check_nrpe -H 10.146.1.38 -n from the Nagios machine? It looks like all teh SSL parts are commented out.
-bash-4.1# /usr/local/nagios/libexec/check_nrpe -H 10.146.1.38
CHECK_NRPE: Error - Could not complete SSL handshake.
Please run it with the -n to specify no SSL.
Former Nagios Employee
katya
Posts: 224
Joined: Mon Aug 18, 2014 9:07 am

Re: CHECK_NRPE: Error - Could not complete SSL handshake

Post by katya »

check_nrpe from Nagios machine:
-bash-4.1# /usr/local/nagios/libexec/check_nrpe -H 10.146.1.38
CHECK_NRPE: Error - Could not complete SSL handshake.

-bash-4.1# /usr/local/nagios/libexec/check_nrpe -H 10.146.1.38 -n
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.
Locked