ERROR:Could not complete SSL handshake

[speerless]

I use nagios to monitor my arm device (the openssl and nrpe are both have cross-compiled to the arm),when i start the nagios ,it shows the error"Could not complete SSL handshake",i search it on the net ,it says maybe the follow problems:
1、Different versions. Make sure you are using the same version of the check_nrpe plugin and the NRPE daemon. Newer versions of NRPE are usually not backward compatible with older versions.
2、SSL is disabled. Make sure both the NRPE daemon and the check_nrpe plugin were compiled with SSL support and that neither are being run without SSL support (using command line switches).
3、Incorrect file permissions. Make sure the NRPE config file (nrpe.cfg) is readable by the user (i.e. nagios) that executes the NRPE binary from inetd/xinetd.
4、Pseudo-random device files are not readable. Greg Haygood noted the following… “After wringing my hair out and digging around with truss, I figured out the problem on my Solaris 8 boxen. The files /devices/pseudo/random* (linked through /dev/*random, and provided by Sun patch 11243 were not readable by the nagios user I use to launch NRPE. Making the character devices world-readable solved it.”
5、Unallowed address. If you’re running the NRPE daemon under xinetd, make sure that you have a line in the xinetd config file that say “only_from = xxx.xxx.xxx.xxx”, where xxx.xxx.xxx.xxx is the IP address that you’re connected to the NRPE daemon from.


But I don't konw where is my problem,I don't think it is no.1 or no.5,and for no.2, when i cross-compiling the nrpe or the nagios-plugin, it all with the openssl support which i had cross-compiled first.but i don't know whether i should do something about the openssl on the arm .for no.3 or no.4 ,i don't know whether it should be considered because my device is arm?
If u know something ,please tell me ,truely thanks for your help!
plus:it says i can see more details at nrpe's log file ,but i don't know how to open it or find it ,if you know ,please tell me ,thank you!

just now, i checked the port on my arm,the port 5666 doesn't open.
then i do the follow:

Code: Select all

vi /etc/services
add:
nrpe 5666/tcp # NRPE
netstat -at | grep nrpe

(tcp        0      0 *:nrpe                  *:*                     LISTEN)

but the port 5666 doesn't open yet!

[abrist]

Have you started nrpe on the arm?
Are you using xinetd to manage the daemon, or are you using a custom init script?
Have you seen the following document?
http://library.nagios.com/library/produ ... -solutions

[speerless]

Are you using xinetd to manage the daemon, or are you using a custom init script?

I truely don't know about this ,i just move the nrpe(the directory "/nagios") and openssl into my arm and run it ,i don't think the device had installed the xinetd,so i don't know the answer about your question ,can you analyse it for me? whether i need to install the xinetd first?
I have read the paper ,I don't think it helped me ,about my nrpe ,i am sure my nrpe.cfg is right and i do compile it with "--enable-ssl"";i had also successfully run the nrpe on my arm.
Thanks for help me! I am sorry for waste you so much time! thanks again!

[yancy]

speerless,

I didn't see mention of firewall rules. Can you make sure you have a port open on 5666.


-Yancy

[speerless]

speerless,

I didn't see mention of firewall rules. Can you make sure you have a port open on 5666.


-Yancy

I first test in my virtual machine,when i cross the same problem ,I do solved it by close the iptables,but my arm device seems do not have the firewalls.so I truely do not know why.
i tested the port of the arm:

Code: Select all

 nmap 192.168.1.105 -p 5666

Starting Nmap 5.50 ( http://nmap.org ) at 2013-04-21 10:21 CST
Nmap scan report for 192.168.1.105
Host is up (0.0011s latency).
PORT     STATE SERVICE
5666/tcp open  nrpe

so i think in my arm device ,both the nrpe and the 5666 port are successfully run.and i think the nrpe.cfg also have no problems ,so i truely don not know what the problem is,please help me ,thank you!
ps,in my virtual machine,i all worked well.

[abrist]

Do you have openssl compiled and installed on the arm?

Code: Select all

which openssl

[speerless]

Do you have openssl compiled and installed on the arm?

Code: Select all

which openssl

Yes,i am ,and the openssl can be run in my arm.i have sorted the situation :
first:i think my monitor host has no problem because i can successfully monitor my virtual machine.
then,on the arm ,i can run the nrpe and openssl successfully,the port 5666 also showed to be open.on my arm ,i tested :
/usr/local/nagios/libexec/check_nrpe -H localhost -c check_load
it return :
OK - load average: 0.05, 0.06, 0.00|load1=0.050;15.000;30.000;0; load5=0.060;10.000;25.000;0; load15=0.000;5.000;20.000;0(the data my not correct because i copy from another place)
but on the monitor host ,when use this command to check the arm,it says:
ERROR:Could not complete SSL handshake
my arm device should have no firewalls or xinetd 、inetd .
i had checked the nrpe.cfg many times and i am sure the 'allowed host' and the 'dont_blame _nrpe' is right.
Maybe there are something i didn't thought ,if you know something ,please tell me .
ps， I think the problem is that something had stop the correspond between the two host like the firewalls ,but my arm seems don't have it ,so i don't know what exactly the problem is ,please help me !thank you again!
also, i can run the openssl on the arm,but i don't know whether it worked well,do i have some method to test it ?

[scottwilkerson]

Does the arm machine have your monitoring servers IP address in the nrpe.cfg in the allowed_hosts section?

[speerless]

Does the arm machine have your monitoring servers IP address in the nrpe.cfg in the allowed_hosts section?

yes,i have checked many times.

[speerless]

I have solved the problem.
My server host 's ip is 192.168.1.105,gateway is 192.168.1.20,and my arm device 's ip is 10.10.101.119,gateway is 10.10.101.20
That's why i can not monitor successfully,after i change my ip to 10.10.101.100,and geteway to 10.10.101.20, it because OK.
I still don't know why the first Ip address doesn't work,whether the nagios can noly monitor the host in the same subnet?i was thought that only if can ping the host,i can monitor it by nagios.
anyway, thanks for all your help!