CentOS - CHECK_NRPE: Error - Could not complete SSL handshak

[[email protected]]

We have noticed that the CHECK_NRPE: Error - Could not complete SSL handshake happens, but then the agent after another few checks works - any ideas as to what might be going on here - we have this happening on several of our CentOS monitored hosts

[jdalrymple]

Hi [email protected]

I heard through the grapevine that you're using DNS to resolve your XI server. While I think this is a good practice it is important that your DNS infrastructure is solid and consistent for good results. Let me share with you some notes I have about the way DNS works on a Linux host running the NRPE daemon:

xinetd:

- At xinetd start time it does a forward lookup to get the address for "only_from" - this doesn't seem to matter though
- Every time a request comes in there is a reverse lookup. If the proper name isn't returned in the reverse lookup the connection fails with "CHECK_NRPE: Error - Could not complete SSL handshake."

nrpe -d:

- Every time a check_nrpe request comes in a forward lookup is done, if the IP matches it works, if the record doesn't match check_nrpe fails with "CHECK_NRPE: Error - Could not complete SSL handshake."

Is it possible that you have multiple DNS servers being resolved and not all of them are resolving the XI server properly? Maybe to test you can take a trouble host and change it to IP - just for testing purposes?

[[email protected]]

Thanks for the reply and that could be the case here, I will take once of the troubled hosts and will change it's allow_only to the Nagios XI server's IP address.

[[email protected]]

I tested on one of the troubled CentOS hosts being monitored..I had seen a few quick criticals on it stating ( CHECK_NRPE: Socket timeout after 30 seconds ) , but they stopped...still continuing to monitor this host to see how the FQDN to IP test is working. Thanks again for your help troubleshooting this with us

[jolson]

Be sure to keep us up to date if you encounter any difficulties. Thanks!