CHECK_NRPE: Error - Could not complete SSL handshake on Sola

[diwakar0304]

HEllo,

I am trying to install nrpe 2.12 on one of the Sparc solaris 10 server.
I did it earlier on other soalris boxes of different version, but now I am stuck with one of the common errors of SSL handshaking on new solaris 10 server.

I also compared the config.log of working and new solaris servers, which are matching.

below are compiling output ..., I have tried with make and gmake both.

Code: Select all

bash-3.00# ./configure -with-ssl=/usr/sfw/ -with-ssl-lib=/usr/sfw/lib/ -with-ssl-inc=/usr/sfw/include/ --with-group=nagios --with-prefix=/usr/local/nagios/ --enable-ssl
checking for a BSD-compatible install... ./install-sh -c
checking build system type... sparc-sun-solaris2.10
checking host system type... sparc-sun-solaris2.10
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking whether make sets $(MAKE)... yes
checking how to run the C preprocessor... gcc -E
checking for egrep... egrep
checking for ANSI C header files... yes
checking whether time.h and sys/time.h may both be included... yes
checking for sys/wait.h that is POSIX.1 compatible... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking ctype.h usability... yes
checking ctype.h presence... yes
checking for ctype.h... yes
checking dirent.h usability... yes
checking dirent.h presence... yes
checking for dirent.h... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking grp.h usability... yes
checking grp.h presence... yes
checking for grp.h... yes
checking for inttypes.h... (cached) yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking pwd.h usability... yes
checking pwd.h presence... yes
checking for pwd.h... yes
checking signal.h usability... yes
checking signal.h presence... yes
checking for signal.h... yes
checking for stdint.h... (cached) yes
checking for strings.h... (cached) yes
checking for string.h... (cached) yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking tcpd.h usability... yes
checking tcpd.h presence... yes
checking for tcpd.h... yes
checking for unistd.h... (cached) yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking socket.h usability... no
checking socket.h presence... no
checking for socket.h... no
checking for sys/types.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking sys/resource.h usability... yes
checking sys/resource.h presence... yes
checking for sys/resource.h... yes
checking for sys/wait.h... (cached) yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking for sys/stat.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking for mode_t... yes
checking for pid_t... yes
checking for size_t... yes
checking return type of signal handlers... void
checking for uid_t in sys/types.h... yes
checking type of array argument to getgroups... gid_t
checking for int... yes
checking size of int... 4
checking for short... yes
checking size of short... 2
checking for long... yes
checking size of long... 4
checking for uint32_t... yes
checking for u_int32_t... no
checking for int32_t... yes
checking for va_copy... yes
checking for vsnprintf... yes
checking for snprintf... yes
checking for asprintf... no
checking for vasprintf... no
checking for C99 vsnprintf... yes
checking for getopt_long... yes
checking for main in -lnsl... yes
checking for socket in -lsocket... yes
checking for main in -lwrap... no
checking for strdup... yes
checking for strstr... yes
checking for strtoul... yes
checking for initgroups... yes
checking for closesocket... no
checking for socklen_t... yes
checking for type of socket size... size_t
checking for SSL headers... SSL headers found in /usr/sfw/include//..
checking for SSL libraries... SSL libraries found in /usr/sfw/lib/

*** Generating DH Parameters for SSL/TLS ***
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
....++*++*++*++*++*++*
checking for Kerberos include files... could not find include files
checking for perl... /usr/bin/perl
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating subst
config.status: creating include/config.h
config.status: include/config.h is unchanged


*** Configuration summary for nrpe 2.12 03-10-2008 ***:

 General Options:
 -------------------------
 NRPE port:    5666
 NRPE user:    nagios
 NRPE group:   nagios
 Nagios user:  nagios
 Nagios group: nagios


Review the options above for accuracy.  If they look okay,
type 'make all' to compile the NRPE daemon and client.

bash-3.00# gmake
cd ./src/; gmake ; cd ..
gmake[1]: Entering directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'
gcc -g -O2 -I/usr/sfw/include//openssl -DHAVE_CONFIG_H   -c -o snprintf.o snprintf.c
gcc -g -O2 -I/usr/sfw/include//openssl -DHAVE_CONFIG_H -o nrpe nrpe.c utils.c -L/usr/sfw/lib/  -lssl -lcrypto -lnsl -lsocket  ./snprintf.o
gcc -g -O2 -I/usr/sfw/include//openssl -DHAVE_CONFIG_H -o check_nrpe check_nrpe.c utils.c -L/usr/sfw/lib/  -lssl -lcrypto -lnsl -lsocket
gmake[1]: Leaving directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'

*** Compile finished ***

If the NRPE daemon and client compiled without any errors, you
can continue with the installation or upgrade process.

Read the PDF documentation (NRPE.pdf) for information on the next
steps you should take to complete the installation or upgrade.

Code: Select all

bash-3.00# gmake all
cd ./src/; gmake ; cd ..
gmake[1]: Entering directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'
gmake[1]: Nothing to be done for `all'.
gmake[1]: Leaving directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'

*** Compile finished ***

If the NRPE daemon and client compiled without any errors, you
can continue with the installation or upgrade process.

Read the PDF documentation (NRPE.pdf) for information on the next
steps you should take to complete the installation or upgrade.

Code: Select all

bash-3.00# gmake install
cd ./src/ && gmake install
gmake[1]: Entering directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'
gmake install-plugin
gmake[2]: Entering directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'
.././install-sh -c -m 775 -o nagios -g nagios -d /usr/local/nagios/libexec
.././install-sh -c -m 775 -o nagios -g nagios check_nrpe /usr/local/nagios/libexec
gmake[2]: Leaving directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'
gmake install-daemon
gmake[2]: Entering directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'
.././install-sh -c -m 775 -o nagios -g nagios -d /usr/local/nagios/bin
.././install-sh -c -m 775 -o nagios -g nagios nrpe /usr/local/nagios/bin
gmake[2]: Leaving directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'
gmake[1]: Leaving directory `/usr/local/nagios/INSTALLER_PLUGINS/nrpe-2.12/src'

Code: Select all

bash-3.00# gmake install-daemon-config
./install-sh -c -m 775 -o nagios -g nagios -d /usr/local/nagios/etc
./install-sh -c -m 644 -o nagios -g nagios sample-config/nrpe.cfg /usr/local/nagios/etc

==========================================================================================================================================
bash-3.00# netstat -an | grep 5666
      *.5666               *.*                0      0 49152      0 LISTEN

==============================================================================================================================================
bash-3.00# telnet localhost 5666
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection to localhost closed.
============================================================================================================================================
bash-3.00#  inetadm -l svc:/network/nrpe/tcp:default
SCOPE    NAME=VALUE
         name="nrpe"
         endpoint_type="stream"
         proto="tcp"
         isrpc=FALSE
         wait=FALSE
         exec="/usr/sfw/sbin/tcpd -c /usr/local/nagios/etc/nrpe.cfg -i"
         arg0="/usr/local/nagios/bin/nrpe"
         user="nagios"
default  bind_addr=""
default  bind_fail_max=-1
default  bind_fail_interval=-1
default  max_con_rate=-1
default  max_copies=-1
default  con_rate_offline=-1
default  failrate_cnt=40
default  failrate_interval=60
default  inherit_env=TRUE
default  tcp_trace=FALSE
         tcp_wrappers=FALSE
bash-3.00#
============================================================================================================================================

Code: Select all

bash-3.00#  /usr/local/nagios/libexec/check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.
=====================================================================================================================================

Is there any thing which i am going wrong with it.



BR//
DV

[abrist]

First, you may be interested in the following doc (it is XI specific but it can be used to troubleshoot core+nrpe as well):
http://assets.nagios.com/downloads/nagi ... utions.pdf
Next, try to run the check without ssl (just in case ssl did not build correctly:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H localhost -n

Then, run nmap against the remote host from the nagios server (post the results):

Code: Select all

nmap <ip of remote nrpe host> -p 5666

[diwakar0304]

Hello,

Given document link was already verified.
Actually I have also tried with different nrpe 2.12 source code from different sources. (was suspecting issue with nrpe source code package)

bash-3.00# /usr/local/nagios/libexec/check_nrpe -H localhost -n
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

[root@NAGIOS-BBOPS ~]# nmap <Remote host IP> -p 5666

Starting Nmap 5.51 ( http://nmap.org ) at 2014-11-05 09:01 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for <Remote host IP>
Host is up (0.018s latency).
PORT STATE SERVICE
5666/tcp open nrpe

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

BR//
Diwakar

[abrist]

Can you post the nrpe.cfg from the remote system?

[diwakar0304]

Hi,

NRPE.cfg has been uploaded.

I am also uploading truss output for your reference, if this can help.


BR//
DV

[diwakar0304]

Hello,

Issue is resolved, it was the issue with openssl package version installed on system.
Although package which is already installed is of higher version than required version .

Issue can be identified by the truss output.

Thanks for your response and time.

BR//
Diwakar

[abrist]

Good to hear. Locking thread.