(!log_opts) Could not complete SSL handshake with IP: 5

[AnudeepReddy]

Hello,

I have the latest version of Nagios Core running on Ubuntu that I have compiled from the source and latest NRPE client running on FreeBSD installed from the package manager. Everything is running fine (checks, statuses) But I see this error in the NRPE log file. I haven't modified any default configs.

Thanks

[AnudeepReddy]

I see a similar issue when running Nagios 4 on FreeBSD (installed from package manager) and NRPE3 (installed from package manager) on FreeBSD. I am not sure if SSL is configured in the Nagios 4 package by default.

[dwasswa]

Hi @AnudeepReddy,

I suggest that you follow this kb article: https://support.nagios.com/kb/article/n ... shake.html

However, you may need to adjust file and directory paths, or commands, to suit your environment.

Please let me know if your problem persists after following the steps in the kb article above.

[AnudeepReddy]

Hello @dwasswa,

I am not using xinetd. SSL is compiled in the NRPE package. And I do have server_ip in the allowed_hosts in nrpe. I will try compiling both Nagios, NRPE from source and see if the error persists.

Is it true that './configure' enables SSL for the latest NRPE 3.2.1 ? It does generate a 2048 bit DH prime. And we don't have to do './configure --enable-ssl' on the Nagios Core right?

Thanks,
Anudeep

[dwasswa]

Hi @AnudeepReddy ,

The check_nrpe command on the Nagios needs to have the --enable-SSL option when being built. Both sides have to have SSL enabled.

Here is also some extra information on NRPE v3 for more effective use: nrpe-v3-check_nrpe-config-file and nrpe-v3-enhanced-security

Please let me know if you have any questions.

[AnudeepReddy]

Hi,

I modified the default check-host-live to a TCP ping on port 5666 instead of an ICMP Ping. Modifying this back to ICMP Ping resolved the issue. Not sure why this is throwing an SSL Handshake error though. Does the error code 5 have any meaning here?

[dwasswa]

Hi @ AnudeepReddy,

Before you made this change

I modified the default check-host-live to a TCP ping on port 5666 instead of an ICMP Ping. Modifying this back to ICMP Ping resolved the issue

What did you have check-host-live command defined as?

Please, attach your commands.cfg file located in /usr/local/nagios/etc/objects.

[AnudeepReddy]

This was how it was previously.

Code: Select all

define command{
        command_name    check-client-alive
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 5666
        }

define command{
        command_name    check-server-alive
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 80
        }

[dwasswa]

Could you clarify a few things for me:

What are you trying to achieve?

Are you trying to check if a host (server or client) is alive?
The check-host-alive command is what you need. It is already defined for you by default.

Example (This is how its defined by default):

Code: Select all

define command{
       command_name    check-host-alive
       command_line    $USER1$/check_ping -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
        }

You are free to change your arguments, however you want under service definitions or when you run the command on the command line.

For details about check_ping please read usage...https://www.monitoring-plugins.org/doc/ ... _ping.html


The check_tcp command does something different. This plugin tests TCP connections with the specified host.

The host may be alive but the port specified with argument -p could be closed which wouldn't necessarily mean the host is not alive.

The check-host-alive is a default check and if you edit it, all of the hosts that you have applied this to would have to be set up to respond correctly.

That means every system needs to be set up to respond to port 5666

Example (check_tcp defined by default):

Code: Select all

# 'check_tcp' command definition
define command{
       command_name    check_tcp
       command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
        }

For details about check_tcp please read usage...https://search.yahoo.com/yhs/search?p=c ... mp=yhs-002

Please send me the commands.cfg located at /usr/local/nagios/etc/objects.

[tacolover101]

This was how it was previously.

Code: Select all

define command{
        command_name    check-client-alive
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 5666
        }

define command{
        command_name    check-server-alive
        command_line    $USER1$/check_tcp -H $HOSTADDRESS$ -p 80
        }

are you are using check_tcp against 5666 (and NRPE expects a SSL handshake), you are technically sending a packet to NRPE on port 5666. thus, NRPE on the client side will log this as a failed handshake.