CHECK_NRPE: Error - Could not complete SSL handshake.

[alberto.alonso]

Hello

I'm pretty new at Nagios and I'm having a problem when installing the NRPE plugin in Centos.

I have a monitoring server (its hostname is wizzo-int-monitoring0) where I have installed:
- Nagios-4.0.7 <--- it works fine, as I am seeing the remote host
- Nagios-plugins-2.0.3
- NRPE-2.15


In the remote server (its hostname is wizzo-int-read3), I have installed:
- sudo yum -y install openssl-devel gcc xinetd make
- Nagios-plugins-2.0.3
- NRPE-2.15

Moreover, in the remote server, I have made some changes in the following files:

- In /etc/xinetd.d/nrpe I have added only_from = 127.0.0.1 wizzo-int-monitoring0
- In /etc/services I have added the line: nrpe 5666/tcp # NRPE
- In /etc/hosts.allow I have added the line: nrpe: 127.0.0.1 wizzo-int-monitoring0

I have also modified the iptables:
- sudo iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
- sudo service iptables save

In the remote server, If i type /usr/local/nagios/libexec/check_nrpe -H localhost
I get NRPE v2.15 <---- what it's correct

But If I type in the monitoring server /usr/local/nagios/libexec/check_nrpe -H wizzo-int-read3
I get CHECK_NRPE: Error - Could not complete SSL handshake.


If I modify the etc/xinetd.d/nrpe and change wizzo-int-monitoring0 by its IP address, it works. But I need to use the hostname, as it can change.

What am i doing wrong?
What do i have to do to be able to use hostnames in the /etc/xinetd.d/nrpe file?
I am getting crazy and I dont know what else to do.

Thanks a lot in advance

[Box293]

This thread may shed some light on what you are trying to do:

In particular, (d) seems to respond to your concern. The match (or lack thereof) is done via reverse DNS lookup.

http://www.linuxquestions.org/questions ... ost3738576

only_from determines the remote hosts to which the particular
service is available. Its value is a list of IP
addresses which can be specified in any combination of
the following ways:

a) a numeric address in the form of %d.%d.%d.%d. If
the rightmost components are 0, they are treated
as wildcards (for example, 128.138.12.0 matches
all hosts on the 128.138.12 subnet). 0.0.0.0
matches all Internet addresses. IPv6 hosts may
be specified in the form of abcd:ef01:6789.
The rightmost rule for IPv4 addresses does not
apply to IPv6 addresses.

b) a factorized address in the form of
%d.%d.%d.{%d,%d,...}. There is no need for all 4
components (i.e. %d.%d.{%d,%d,...%d} is also ok).
However, the factorized part must be at the end
of the address. This form does not work for IPv6
hosts.

c) a network name (from /etc/networks). This form
does not work for IPv6 hosts.

d) a host name. When a connection is made to
xinetd, a reverse lookup is performed, and the
canonical name returned is compared to the speci‐
fied host name. You may also use domain names in
the form of .domain.com. If the reverse lookup
of the client’s IP is within .domain.com, a match
occurs.

e) an ip address/netmask range in the form of
1.2.3.4/32. IPv6 address/netmask ranges in the
form of 1234::/46 are also valid.

Specifying this attribute without a value makes the
service available to nobody.

[alberto.alonso]

Thanks for you answer Box293

I have checked the thread you commented but it seems they have the same problem as me and I didnt see that they could solved it.

If the documentation says that hostnames are allowed (option d), it should work, but I can't make it work.

any other ideas?
I'm getting crazy with this....

[Box293]

In /etc/xinetd.d/nrpe try only_from = 127.0.0.1 wizzo-int-monitoring0.your.fqdn

[alberto.alonso]

I am going to try what you have said. I'll keep you updated if it works

Thanks again

[tmcdonald]

Haven't heard from you in a while. Any update on this?