Could not complete SSL handshake (check_nrpe is fine)

[slansing]

Can you remove the '-n' from your check_nrpe command as it has been proven not to work since you had compiled that remote host with ssl support. Otherwise you can duplicate the command and change it's name, then remove the '-n' so you don't mess with other service commands using the original check_nrpe command.

[hazmat]

Thanks, but no difference.

[slansing]

When you do try running check_nrpe from the Core server to the remote system, what errors are you seeing in the remote server's log now?

[hazmat]

If run from the command line from the Core server, I get:

Apr 9 10:05:03 xinetd[20118]: START: nrpe pid=28471 from=1.2.3.4
Apr 9 10:05:03 nrpe[28471]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Apr 9 10:05:03 xinetd[20118]: EXIT: nrpe status=0 pid=28471 duration=0(sec)

In the remote server's log. I see nothing in the log if run via the application.

[lmiltchev]

You should have something in the remote server's system log... Can you post the log for a review?
You can try reinstalling the openssl package on the remote box and see if this is going to fix the issue.

[abrist]

Code: Select all

check_command                   check_nrpe!check_disk!-a '-w 20% -c 10% -p /var'

It looks like you are declaring the check_disk arg string ( -a ' * ' ) in the service check args, you should eliminate it from the command_line.
Change:

Code: Select all

command_line    /usr/local/nagios/libexec/check_nrpe -n -H $HOSTADDRESS$ -c $ARG1$ -a $ARG2$ $ARG3$ $ARG4$

To:

Code: Select all

command_line    /usr/local/nagios/libexec/check_nrpe -n -H $HOSTADDRESS$ -c $ARG1$ $ARG2$

Andy then restart nagios:

Code: Select all

service nagios restart

[mkot]

Hi, if I remember I had the same issue like you. All I need to do was configure NRPE v2.15 like this:

Code: Select all

 ./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu

(you may need to install libssl-dev at your server.) I was using this method at Ubuntu and CentOS servers. And commands for monitoring some stuff:

Monitored host:

Code: Select all

command[check_sw_raid]=/usr/local/nagios/libexec/check_raid
command[check_/]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/md2
command[check_/boot]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/md0
command[check_mem]=/usr/local/nagios/libexec/check_mem.pl -w 98 -c 99
command[check_cpu]=/usr/local/nagios/libexec/check_cpu.sh -w 50 -c 85

Nagios server (for check_sw_raid - sw=software):

Code: Select all

define service{
        use                     local-service
        host_name               domena-pn, localhost
        service_description     SW RAID Status
        check_command           check_nrpe!check_sw_raid
        notifications_enabled   1
        flap_detection_enabled  0
        active_checks_enabled   1
        passive_checks_enabled  0
        }

Oh, I think that Could not complete SSL handshake is also when you use different version of plugins at your host and nagios server.

[sreinhardt]

Thanks Mkot, hopefully that helps them out and we hear back either way!

[abrist]

Oh, I think that Could not complete SSL handshake is also when you use different version of plugins at your host and nagios server.

As plugins run through nrpe are run from the remote host, using different versions of the plugins between the server and remote host is inconsequential.

./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu

This is only necessary if the configure script does not detect his openssl lib.
@OP, how is it going?

[hazmat]

Apologies for the delay, and thanks for the continued help. I was away on vacation.

Sorry if this is a stupid question, but how do I tell if the openssl lib has not been detected? I did not build this myself.