Upgrade to Nagios 5.8.3 Causing SSL errors for check_nrpe

[dhorton]

I just upgraded to Nagios XI 5.8.3 this morning, and after the upgrade every Windows host in our system has this error associated with check_nrpe. I masked the IP for security purposes. I only upgraded the server that houses the Nagios software. Upgrading the NSClient++ and/or nrpe agents on the endpoints is NOT an option at this point.

check_nrpe[12082]: Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with xxx.xxx.xxx.xxx: rc=0 SSL-error=5

FYI the nrpe.cfg has both the localhost IP and the actual server IP in for the allowed_hosts section.

My question would be what happened with SSL during this upgrade?

[dchurch]

Hi!

Try adding "-2" to the list of arguments to check_nrpe. For example:

Code: Select all

/usr/lib/nagios/plugins/check_nrpe -2 -H <IP address>

Also try adding "-n" to the list of arguments to check_nrpe. For example:

Code: Select all

/usr/lib/nagios/plugins/check_nrpe -2 -n -H <IP address>
/usr/lib/nagios/plugins/check_nrpe -n -H <IP address>

[dhorton]

So adding that those flags results in the following messages to be displayed in an UNKNOWN status. For reference this is the command that was being used before. $USER1$/check_nrpe -u -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
I added what you suggested to turn it into $USER1$/check_nrpe -2 -n -u -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
I tried -n by itself before and it resulted in the same messages.

CHECK_NRPE: Receive header underflow - only 0 bytes received (4 expected).
CHECK_NRPE: Receive header underflow - only -1 bytes received (4 expected).

[ssax]

What is the full output from this command on the XI server?

Code: Select all

/usr/lib/nagios/plugins/check_nrpe -2 -H <IP address> -s-1; tail -n30 /var/log/messages

What is the output of these commands from the XI server as well?

Code: Select all

/usr/lib/nagios/plugins/check_nrpe -V
/usr/local/nagios/libexec/check_nrpe -V

[dhorton]

I apologize for the delayed response, but since my last post we upgraded to 5.8.4. We had the same errors. It seems that the new /usr/local/nagios/libexec/check_nrpe version was not compatible with our environment, so we needed update it use our previous version in addition to adding the -2 to the command itself. Currently everything is working normally. Previous version before the upgrade was 3.0.1. After the upgrade, this changed to 4.0.3. This version did not work, so we had to go back to 3.0.1. If there is a better way to address this issue, I am certainly willing to explore it.

[vtrac]

Hi @dhorton,
Hope you are having a great Friday!! ...

I'm glad that reverting back to v3.0.1 worked for you.
Do you know what version of NSClient++ on your remote machines?

If you like, you could try building the check_nrpe binary from source your self.
Please follow the KB below to build NPRE v4 from source:
https://support.nagios.com/kb/article.php?id=515

If you prefer to stay with v3.0.1, then may I close this thread?


Best Regards,
Vinh