Could not complete SSL handshake.

[mailkeeper]

Hello forum,

I've got a situation where I can't seem to find the answer

server1:/opt/nagios/libexec$ ./check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.

Same site, same package installed

server2:/opt/nagios/libexec$ ./check_nrpe -H localhost
NRPE v2.12


nrpe.cfg from server1

# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address. I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#allowed_hosts=127.0.0.1


nrpe.cfg from server2

# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon.
#
# Note: The daemon only does rudimentary checking of the client's IP
# address. I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

#allowed_hosts=127.0.0.1


As you can see, they are the same, we don't change this and always leave it as pre-defined in the package.

Os server1;

Solaris 10 11/06 s10s_u3wos_10 SPARC
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 14 November 2006

Os server2;

Solaris 10 11/06 s10s_u3wos_10 SPARC
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms

I was thinking, maybe this is related to the missing SUNWcry package

Server1

[root@server1:etc/init.d] # pkginfo | grep -i SUNWcry
[root@server1:etc/init.d] #

Server2

[root@server2:/] # pkginfo | grep -i SUNWcry
[root@server2:/] #

so also on server2 this package is not there, and it's working fine...

Even when I install package 2.15 (what we also use) it's not working

when I run NRPE without SSL, I get an answer back.

But since we use this worldwide for over 9000 servers (and increasng) max will be 25.000 probable... there are only 2 servers that have this issue, and this is one of them...
there is realy nothing I can find how to fix this issue..

So I hope someone can point me to the right direction


Thank you forum to help me out!!

[hsmith]

Can you take a look at this document?

https://assets.nagios.com/downloads/nag ... utions.pdf

[mailkeeper]

Very late response, I know.
But we still have a couple of servers that run into this issue.

The setup is the same for the whole world, and still a couple of servers have issues...
I'm trying to get a solution for all of the servers with this issue, but non of them seem to work.

I hope someone is still able and willing to help.. it makes me crazy!

[mcapra]

In the future, it'd be best to open a new thread and reference the original. Since this thread contains good information we'll let it stay.

Just to be clear, the steps mentioned in this documentation were unable to provide a resolution?
https://assets.nagios.com/downloads/nag ... utions.pdf

We have very little insight we can provide into Solaris servers unfortunately. If you can run check_nrpe without SSL against a remote machine without any issues, and the problem only occurs when SSL is leveraged, then my suspicion is that the system is using an incompatible openssl library internally.

Are you still using NRPE 2.14? Have you tried compiling NRPE 3.0 on these machines and see if the new SSL options offer any assistance? We have this documentation that describes the process for Solaris 10 and 11 machines:
https://support.nagios.com/kb/article.php?id=515