Could not complete SSL handshake - NRPE 2.15 under xinetd

[njain213]

Hi,

I am also facing similar issue.

CHECK_NRPE: Error - Could not complete SSL handshake.

Please find details from my side.


/usr/local/nagios/libexec/check_nrpe -H <IP address> -p <port> -c activemq_watch -a '-w 10 -c 20'
CHECK_NRPE: Error - Could not complete SSL handshake.

[root@localhost components]# cat /etc/xinetd.d/nrpe|grep only_from
only_from = 127.0.0.1 <ip that I have added>
[root@localhost components]# netstat -anp|grep :5666
tcp 0 0 :::5666 :::* LISTEN 8801/xinetd
[root@localhost components]# ps -C xinetd
PID TTY TIME CMD
8801 ? 00:00:00 xinetd
[root@localhost components]# ps -C nrpe
PID TTY TIME CMD

[root@localhost components]# nmap <ip that I have added> -p 5666

Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-22 08:49 EDT
Nmap scan report for <DNS Name> (ip that I have added)
Host is up (0.00030s latency).
PORT STATE SERVICE
5666/tcp filtered nrpe

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds


Thanks
Naman

[bwallace]

5666/tcp filtered nrpe means a firewall is blocking access (most likely), you'll have to check there before proceeding.

[njain213]

Hi,

Now I am getting below results.

Host is up (0.17s latency).
PORT STATE SERVICE
5666/tcp closed nrpe


Is this firewall issue(5666/tcp closed nrpe) ?

Thanks
Naman

[bwallace]

Naman, the nmap result of "closed" means it can't connect.

Before you investigate each device on the path between Nagios <--> Client, first confirm that NRPE is listening on the client machine by running and posting the output of:
lsof -i:5666

I'm assuming you're running NRPE out of xinetd, so post the output of this command as wll:
cat /etc/xinetd.d/nrpe

[njain213]

Hi,

Please find results of above commands.

[root@localhost nagiosxi]# lsof -i:5666
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 31338 root 5u IPv6 214715 0t0 TCP *:nrpe (LISTEN)


[root@localhost nagiosxi]# cat /etc/xinetd.d/nrpe
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 <IP address of my nagios server>
}

Thanks
Naman

[rkennedy]

Do you have the firewall enabled on the client machine, or a firewall in between the client and Nagios machine? That's what it looks like at this point.

You'll want to make sure port 5666 can pass through.

[njain213]

Hi,

Its firewall issue. Port is not enabled on client side.

Thanks for your support.

Thanks
Naman

[hsmith]

Is this thread all right to close?