CHECK_NRPE: Error - Could not complete SSL handshake

[rlinux57]

Getting below error on nagios server:

[root@monitors libexec]# ./check_nrpe -H spelljob.com
CHECK_NRPE: Error - Could not complete SSL handshake.

[jdalrymple]

Firewall on remote host

allowed_hosts directive in nrpe.cfg (assuming it's a Linux box)

Is spelljob.com even a real host on your network? Does it resolve properly?

[rlinux57]

Error shows on all of my servers, kindly check the attachment picture.

[rlinux57]

Below are the remote host logs:
#tail -f /var/log/messages

May 8 06:37:41 server nrpe[13620]: Host 144.76.228.253 is not allowed to talk to us!
May 8 06:37:51 server nrpe[13625]: Host 144.76.228.253 is not allowed to talk to us!
May 8 06:38:28 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:9b:4e:9c:00:1e:67:6a:83:6f:08:00 SRC=104.233.142.214 DST=174.142.165.149 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
May 8 06:39:03 server nrpe[13669]: Host 144.76.228.253 is not allowed to talk to us!
May 8 06:39:13 server nrpe[13689]: Host 144.76.228.253 is not allowed to talk to us!


Nagios Server:
[root@monitors plugins]# rpm -qa | grep openssl
openssl-devel-1.0.1e-30.el6.8.x86_64
openssl-1.0.1e-30.el6.8.x86_64

Remote Host:
root@server [~]# rpm -qa | grep openssl
openssl-devel-1.0.1e-30.el6.8.i686
openssl-1.0.1e-30.el6.8.i686

[ssax]

Did you add your Nagios Core IP to the remote host /etc/xinetd/nrpe file?

Assuming your Nagios Core IP is 144.76.228.253:

Code: Select all

only_from = 144.76.228.253

Code: Select all

service xinetd restart

[lmiltchev]

Is NRPE running under xinetd or as a standalone daemon?

If NRPE is running under xinet, check to is if the nagios server's IP address has beed added to the "only_from" line in the "/etc/xinetd.d/nrpe"

Code: Select all

grep only_from /etc/xinetd.d/nrpe

If NRPE is running as a standalone daemon, check the nrpe.cfg file:

Code: Select all

grep allowed_hosts /usr/local/nagios/etc/nrpe.cfg

Note: your path may vary - adjust your command if needed.

Restart the nrpe or xinetd after making mods to these files, so that changes can take effect.

BTW, are you using tcp wrappers? Do you have anything in the "/etc/hosts.allow" or "/etc/hosts.deny"?

What is the output of the following command, run on the nagios server?

Code: Select all

nmap <client ip> -p 5666

[rlinux57]

We're using two monitoring server so we have added two ips in xinetd and nrpe.cfg of remote host. The nagios server with ip "167.114.12.220" is working perfectly but the ip with "144.77.228.253" getting ssl handshake error while fetching.
Xinetd on remote host:
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 167.114.12.220 144.77.228.253
}


#cat /etc/nagios.nrpe.cfg
allowed_hosts=167.114.12.220,144.77.228.253

#nmap <client ip> -p 5666
Nmap scan report for server.spelljob.com
Host is up (0.095s latency).
PORT STATE SERVICE
5666/tcp open nrpe

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

[Box293]

Can you check these files on 144.77.228.253 please.

Do you have anything in the "/etc/hosts.allow" or "/etc/hosts.deny"?

Also, could you try commenting out allowed_hosts= and then restarting xinetd.

Code: Select all

#cat /etc/nagios.nrpe.cfg
allowed_hosts=167.114.12.220,144.77.228.253

I also noticed this:

Code: Select all

server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd

Yet you show us this:

Code: Select all

#cat /etc/nagios.nrpe.cfg
allowed_hosts=167.114.12.220,144.77.228.253

Not sure how /etc/nagios.nrpe.cfg connects with xinetd

[rlinux57]

I have fixed it by adding correct path to /etc/xinetd.d/nrpe "/etc/nagios/nrpe.cfg" and added 5666 port to csf. Now you can lock this thread.