Issue with Check_nrpe

[druid]

I have an old nagios v3.5 server that I'm replacing with a new CentOS 7 server to run nagios v4.1.1. I tried copying over a windows and linux host config files to the new Nagios server and started to get errors. When using the Nagios web client to view the windows host, which previously was running check_nt instead of check_nrpe, the checks are giving the error "Check_nrpe error: Unable to complete SSL handsake". When viewing the linux host the checks are giving the error "Return code 255 is out of bounds".

On the new Nagios server, running

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H localhost

returns: CHECK_NRPE: Error - Could not complete SSL handshake.

Running without SSL

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H localhost -n

returns: CHECK_NRPE Error: Error receiving data from daemon.

I'd be happy to provide any config or log files necessary. Thank you.

[Box293]

While this guide is for Nagios XI, most of the troubleshooting applies to your problem.

https://assets.nagios.com/downloads/nag ... utions.pdf

Let us know what you've tried and the output you get.

[druid]

Looking at that article's explanation of the "Could not complete SSL Handshake" error:

I added my new nagios server IP to allowed hosts in both /usr/local/nagios/etc/nrpe.cfg and /etc/xinetd.d/nrpe
I also added the "per_source" and "instances" lines to /etc/xinetd.d/nrpe
I also made sure SSL is compiled into nrpe.

I then restarted the xinetd service and ran

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H localhost

and still received the "Could not complete SSL Handshake" error.

[rkennedy]

When you compiled the plugins, did you compile with SSL?

[hsmith]

Does the new server have firewalld running? If so, you may need write a firewall rule / stop it. I would stop it for troubleshooting purposes.

systemctl firewalld status

[druid]

The new server does not have firewalld running. It uses iptables.

I just recompiled the plugins and ran make and make install.

Code: Select all

./configure --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

When running the ./configure part, I do see "with-openssl = yes"

[jrdalrymple]

I then restarted the xinetd service and ran

Code: Select all

    /usr/local/nagios/libexec/check_nrpe -H localhost

and still received the "Could not complete SSL Handshake" error.

On EL7 this is commonly because you specified IP addresses in your /etc/xinet.d/nrpe and/or nrpe.cfg file of 127.0.0.1 and 'localhost' resolves to ::1. Try doing /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1

Also - just so that there is no question let's get ps -ef | grep nrpe so that we know if we're coming from inetd or daemonizing.

[druid]

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1

NRPE v2.15

Code: Select all

ps -ef | grep nrpe

root 3446 11456 0 17:16 pts/0 00:00:00 grep --color=auto nrpe

[Box293]

So we've confirmed check_nrpe is correctly compiled on the Nagios host.

What happens when you query your Windows server?

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H windows_server_ip

[druid]

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H windows_server_ip

CHECK_NRPE Error - Could not complete SSL handshake

On the Windows server, the nsclient.log has:

error:D:\source\nscp\include\socket/connection.hpp:243: Failed to establish secure connections: sslv3 alert unexpected message: 1010