Could not complete SSL handshake

[jbruyet]

Hey all, I've been trying to get my CentOS Nagios server to see my Debian servers but no joy. I initially thought the problem was with the Nagios server but I found out that the problem is on the Debian servers. when I do check_nrpe -H localhost from the Debian servers I get:

CHECK_NRPE: Error - Could not complete SSL handshake.

I've re-configured using the --with-ssl=/path/to/ssl --with-ssl-lib=/that/path, I've made sure there aren't any typos in my config files, I made sure that the localhost address is in nrpe.cfg, I've made sure selinux and iptables aren't bother me, and some other stuff I can't remember now. A while back I was trying to get nrpe to work on a Nagios server that was running on Debian and I finally had to give up due to the same SSL problem. Does anyone have any other suggestions that I can use to try to get this working?

Thanks,

Joe B

[wormfishin]

Are you using a relatively recent version of openssl? I ran into a similar problem on an old host that was quite outdated.

Did you review the ./configure output carefully for any errors? Those would be the first 2 places I'd look.

[jbruyet]

Hey wormfishin, this is a new server so I'm guessing that it's current with the openssl. Is there a way to tell for sure? As to reviewing "...the ./configure output..." where would I look for the log? I've tried before to look for any error messages as they scroll by but a speed reader I'm not.

Thanks,

Joe B

[wormfishin]

You can save it all to a file of you'd like by using:

Code: Select all

./configure --with-ssl=/path/to/ssl --with-ssl-lib=/that/path >> my_config.log 

to get the ssl version use:

Code: Select all

openssl version

[jbruyet]

Ok, I found my OpenSSL version:

OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

I was surprised to see that it's almost four years old but YUM wasn't able to update it. Should I download the newest version from the OpenSSL web site and do a source install or could that mess up my server?

I haven't tried the ./configure thing yet. I'll try to do that later and let you know what I found out.

Thanks,

Joe B

[jbruyet]

Ok, I decided to do this now so here's the only problem that showed up in my install log:

checking for Kerberos include files... could not find include files

One option I found to help with finding the Kerberos files was to install krb5-devel but I couldn't find a Debian package with that name. Another option to get NRPE working was to bypass the SSL part completely using:

./configure -disable-ssl

but I'm not sure I want to go that way. Like I mentioned in my original post I wasn't able to get SSL working when I had Nagios running on a Debian server. Does Debian have some special SSL configuration that makes it a little more... finicky when running programs that use SSL?

Thanks,

Joe B

[wormfishin]

Have you verified nrpe is indeed running on the target server?

Code: Select all

netstat -an | grep 5666 

[jbruyet]

Yep, I checked this a while back:

jobee@DebCS:~$ netstat -an | grep 5666
tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN

I'm to the point now that if I need to experiment on this machine I'm wiling to do that because a couple of my Debian servers are working full-time for me.

Thanks,

Joe B

[wormfishin]

What does your /etc/xinetd.d/nrpe file look like on the target box?

Anything in /var/log/messages?

[jbruyet]

Hey wormfishin, here's my nrpe file:

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 192.168.2.26
}

I can't find anything in /var/log/messages related to nrpe or nagios.

Thanks,

Joe B