Error: Could not complete SSL handshake

[gormank]

Redhat's procedure was used to disable IPv6, but chances are I'll undo that since it makes things worse.

https://access.redhat.com/solutions/8709
https://access.redhat.com/node/1958#initramfs

Also, this is a minor issue now that restarting the servers as part of disabling IPv6 nuked my DB. See my post about that: https://support.nagios.com/forum/viewto ... 16&t=34167

We can return to this once I can monitor systems...

[lmiltchev]

We can return to this once I can monitor systems...

No problem. We will keep this open.

[gormank]

Ok, I undid the disabling of IPv6 so we're back to where we were with the handshake error in syslog...
Groan. The FAQ tells the story...

Title: Could not complete SSL handshake.
FAQ ID: F0357
Submitted By: Manuel Benet
Last Updated: 03/14/2007

Description: The message nrpe[19739]: Error: Could not complete SSL handshake. 5 appears in Linux NRPE servers syslog.

Solution: This message, that usually appears in Linux NRPE servers syslog is sometimes not due to NRPE communication between NRPE client and server, but to the monitoring of the port 5666 thru check_tcp. In this case the message is completely inocuous and does not imply malfunctioning. Therefore, if you are seeing that message and everything seems to be working correctly, disable port 5666 monitoring and check if the message shows.

[tgriep]

There was a check_tcp running on your system? Did you disable it and the errors are gone?

[gormank]

Yes and yes.
I'm required to have a heartbeat monitor to check the status of nrpe on the monitored servers. Using a solution other than check_tcp such as check_nrpe_version has an ugly error when the server or agent are down.
Checking the port works fine but causes these log entries. So now I need another solution. Any ideas?

[tgriep]

I would assume that anything that checks port 5666 and is not the check_nrpe command, would cause the same messages.
The check_nrpe_version looks like is the only thing that will not cause the messages.

[gormank]

I'm well aware of that now that I found the faq entry.
The question now is how can I check the reachability of the agent wand get a sensible response when it isn't.

[tgriep]

What response do you get?
255?
There is a patch for the 255 message.
https://support.nagios.com/forum/viewto ... =6&t=33811

[gormank]

It would take some checking but that might work.
A simpler solution would be not to log what's in the title when something pokes at port 5666. I imagine that's a possible security question.
Ideally, other services using check_nrpe would be dependent on a check of nrpe being alive, but I don't see a way to set this up in the UI. This would be similar to services being dependent on the host reachability via the host check.

[Box293]

The question now is how can I check the reachability of the agent wand get a sensible response when it isn't.

Is checking the NRPE version acceptable?

Code: Select all

Command:
check_nrpe -H win2008r2-01

Output:
I (0.4.3.143 2015-04-29) seem to be doing fine...

Exit Code:
echo $?
0

Command:
check_nrpe -H win2008r2-01

Output:
CHECK_NRPE: Socket timeout after 10 seconds.

Exit Code:
echo $?
2

Slightly difference response when the remote host is a linux box:

Code: Select all

Command:
check_nrpe -H centos01

Output:
NRPE v2.14

Edit Code:
echo $?
0

Command:
check_nrpe -H centos01

Output:
connect to address 10.25.13.10 port 5666: Connection refused
connect to host centos01 port 5666: Connection refused

Exit code:
echo $?
255

In both examples above all I did was stop the service on the windows or linux box.