Hi. I added a server for Nagios to monitor. I have nrpe installed on the client via xinetd and as far as I know it's properly set up. When I run check_nrpe from the Nagios server, I get "NRPE v2.12". And this is running with ssl. When I restart Nagios on the server, the client shows "Error: Could not complete SSL handshake. 1" in /var/log/messages. The server shows "SERVICE ALERT: <hostname>;Current Load;UNKNOWN;SOFT;1;CHECK_NRPE: Error receiving data from daemon". Any ideas what could be wrong here? I feel like I've tried everything.
Thanks.
Could not complete SSL handshake (check_nrpe is fine)
-
sreinhardt
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: Could not complete SSL handshake (check_nrpe is fine)
What versions of openssl and openssl-devel do you have installed? rpm -qa | grep opessl
What oses are you running on?
Could you give the exact commands that are and are not working? Also have you tried the both from the command line or just the check_nrpe and not additional arguments?
What oses are you running on?
Could you give the exact commands that are and are not working? Also have you tried the both from the command line or just the check_nrpe and not additional arguments?
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
Re: Could not complete SSL handshake (check_nrpe is fine)
Thanks so much for the reply, Spenser. The Nagios server, RHEL 5.3 (Tikanga), is running openssl-0.9.8e-7.el5 and openssl-devel-0.9.8e-7.el5. The client, RHEL 5.8 (Tikanga), is running openssl-0.9.8e-22.el5_8.3. The check_nrpe command I used was:
# check_nrpe -H <IP> 63636
NRPE v2.12
Everything except for ping and ssh come back as unknown.
I hope I've answered your questions. Thanks again.
# check_nrpe -H <IP> 63636
NRPE v2.12
Everything except for ping and ssh come back as unknown.
I hope I've answered your questions. Thanks again.
-
sreinhardt
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: Could not complete SSL handshake (check_nrpe is fine)
You have answered them just fine. I asked about openssl, as we are at an interesting time with 1.0.1 being pushed fairly mainstream and breaking compatibility with past versions.
Have you configured the other system(remote nrpe) with all the commands you wish to run?
Are any of those commands using arguments from the nagios server?
Did you use a compiled package or build from source?
Have you configured the other system(remote nrpe) with all the commands you wish to run?
Are any of those commands using arguments from the nagios server?
Did you use a compiled package or build from source?
Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
Re: Could not complete SSL handshake (check_nrpe is fine)
I have played around with the commands, which work locally on the client, but nothing I try (I have 'dont_blame_nrpe' set to 1) will give me anything other than 'Error: Could not complete SSL handshake. 1' when it runs from the server. There must be something obvious I'm missing here. It's running as nagios:nagios and I even went as far as putting user nagios under group wheel just so it can do anything. Interestingly, running a command from the server from the command line does work. I tried check_load and got the client's load.
On the client, I don't have any compilers so I had to work with a pre-compiled nrpe.
On the client, I don't have any compilers so I had to work with a pre-compiled nrpe.
Re: Could not complete SSL handshake (check_nrpe is fine)
Did you put the Nagios server's IP on the "only_from" line in the "/etc/xinetd.d/nrpe" on the client? Do you know if the nrpe was compiled with or without ssl support?
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Could not complete SSL handshake (check_nrpe is fine)
I did. I have:
only_from = 127.0.0.1 1.2.3.4
where 1.2.3.4 is the server's IP. I'm pretty sure nrpe was compiled with ssl because if I try running check_nrpe from the server's command line with no arguments I get "NRPE v2.12", but with -n it says "Error receiving data from daemon."
If this helps, from nrpe --help:
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available
only_from = 127.0.0.1 1.2.3.4
where 1.2.3.4 is the server's IP. I'm pretty sure nrpe was compiled with ssl because if I try running check_nrpe from the server's command line with no arguments I get "NRPE v2.12", but with -n it says "Error receiving data from daemon."
If this helps, from nrpe --help:
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available
Last edited by slansing on Fri Mar 21, 2014 2:21 pm, edited 1 time in total.
Reason: Merged your two posts, please do not double post as that will bump you lower on our "to be replied to" list.
Reason: Merged your two posts, please do not double post as that will bump you lower on our "to be replied to" list.
-
sreinhardt
- -fno-stack-protector
- Posts: 4366
- Joined: Mon Nov 19, 2012 12:10 pm
Re: Could not complete SSL handshake (check_nrpe is fine)
Your allowed hosts actually need to be comma delimited, not space. Try:
Code: Select all
only_from = 127.0.0.1,1.2.3.4
Instead of:
only_from = 127.0.0.1 1.2.3.4Nagios-Plugins maintainer exclusively, unless you have other C language bugs with open-source nagios projects, then I am happy to help! Please pm or use other communication to alert me to issues as I no longer track the forum.
Re: Could not complete SSL handshake (check_nrpe is fine)
Are you sure NRPE is running under xinetd and not running as a standalone daemon? What is the output of the following command?
Code: Select all
ps axuw | grep nrpeBe sure to check out our Knowledgebase for helpful articles and solutions!
Re: Could not complete SSL handshake (check_nrpe is fine)
I'm positive that nrpe is running under xinetd. But Spenser, are you sure about the xinetd 'only_from' being comma-delimited? I tried that, but after that any nagios command from the nagios server came back as 'Connection refused by host'. With space-delimited, they run as I've reported. Everything works from the command line on both sides, but from the nagios server to nrpe on the client, for each command it runs (other than ping and ssh) nrpe on the client reports:
Mar 21 15:57:13 xxxx xinetd[22836]: START: nrpe pid=23804 from=1.2.3.4
Mar 21 15:57:13 xxxx nrpe[23804]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Mar 21 15:57:13 xxxx nrpe[23804]: Error: Could not complete SSL handshake. 1
Mar 21 15:57:13 xxxx xinetd[22836]: EXIT: nrpe status=0 pid=23804 duration=0(sec)
And the nagios web console says Unknown and "CHECK_NRPE: Error receiving data from daemon".
Mar 21 15:57:13 xxxx xinetd[22836]: START: nrpe pid=23804 from=1.2.3.4
Mar 21 15:57:13 xxxx nrpe[23804]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Mar 21 15:57:13 xxxx nrpe[23804]: Error: Could not complete SSL handshake. 1
Mar 21 15:57:13 xxxx xinetd[22836]: EXIT: nrpe status=0 pid=23804 duration=0(sec)
And the nagios web console says Unknown and "CHECK_NRPE: Error receiving data from daemon".