CHECK_NRPE: Error - Could not complete SSL handshake.

[dwhitfield]

I am really confused about what is going on. Could you help clear some things up?

First off, you posted in "Core" but are using XI version #s.

What are the OSes on the servers you are checking against? You have some xinetd stuff and some NSClient stuff. If you are having issues with Windows servers and with Linux servers I would suggest breaking those into different threads. I was thinking you were running NSClient on Linux, but your first post has all sorts of windows-specific stuff.

If you are restarting xinetd on the XI server, then that has nothing to do with anything (unless you are monitoring one XI server with the other XI server). check_nrpe on the XI server talks to nrpe on the client machine.

If this is XI, can you PM me profiles from each system? You can download a profile by going to Admin > System Config > System Profile and click the ***Download Profile*** button in the top right corner. *If* for whatever reason you cannot download the profile, please put the output of View System Info (5.3.4+, Show Profile if older). This will give us access to many of the logs we would otherwise ask for individually. If security is a concern, you can unzip the profile take out what you like, and then zip it up again. We may end up needing something you remove, but we can ask for that specifically.

You can also generate a profile manually using the script at /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh

That should generate a profile in /usr/local/nagiosxi/var/components/ which you can get off the server with an application such as FileZilla.

If you get an error that PROFILE BUILD FAILED, please see https://support.nagios.com/kb/article.p ... ategory=44

[rjmon]

is check_nrpe not part of core?

nagios server is running check_nrpe on windows client. The old nagios server successfully monitors whereas the new one it fails with the error listed in the title.

The issue is only with windows servers.

I posted both the profiles to your PM for any information on the versions.

I am really confused about what is going on. Could you help clear some things up?

First off, you posted in "Core" but are using XI version #s.

What are the OSes on the servers you are checking against? You have some xinetd stuff and some NSClient stuff. If you are having issues with Windows servers and with Linux servers I would suggest breaking those into different threads. I was thinking you were running NSClient on Linux, but your first post has all sorts of windows-specific stuff.

If you are restarting xinetd on the XI server, then that has nothing to do with anything (unless you are monitoring one XI server with the other XI server). check_nrpe on the XI server talks to nrpe on the client machine.

If this is XI, can you PM me profiles from each system? You can download a profile by going to Admin > System Config > System Profile and click the ***Download Profile*** button in the top right corner. *If* for whatever reason you cannot download the profile, please put the output of View System Info (5.3.4+, Show Profile if older). This will give us access to many of the logs we would otherwise ask for individually. If security is a concern, you can unzip the profile take out what you like, and then zip it up again. We may end up needing something you remove, but we can ask for that specifically.

You can also generate a profile manually using the script at /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh

That should generate a profile in /usr/local/nagiosxi/var/components/ which you can get off the server with an application such as FileZilla.

If you get an error that PROFILE BUILD FAILED, please see https://support.nagios.com/kb/article.p ... ategory=44

[rjmon]

Interesting this is affecting only windows 2003 server not 2008 and above.

[npolovenko]

Hello, @rjmon.

is check_nrpe not part of core?

Yes, sure it can run on Nagios Core or Nagios XI. However, if you have two XI servers it's better to post in Nagios XI section. That will help us pick appropriate diagnosing solutions and a lot of the times similar issues can be handled differently in XI and Core.

On the Windows Server that gives you SSL handshake error, please replace the [/settings/NRPE/server] section with the following:

Code: Select all

[/settings/NRPE/server]

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  default-workarounds  Various workarounds for what I understand to be broken ssl implementations no-sslv2  Do not use the SSLv2 protocol. no-sslv3  Do not use the SSLv3 protocol. no-tlsv1  Do not use the TLSv1 protocol. single-dh-use  Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using "strong" primes (e.g. when using DSA-parameters).   
ssl options = 

; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket.  none  The server will not send a client certificate request to the client, so the client will not send a certificate. peer  The server sends a client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert  if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer. peer-cert  Alias for peer and fail-if-no-cert. workarounds  Various bug workarounds. single  Always create a new key when using tmp_dh parameters. client-once  Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer   
verify mode = none

; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true
allow arguments = true
allow nasty characters = true

; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = 1

; PORT NUMBER - Port to use for NRPE.
port = 5666

After that please restart NSClient++ service. If NRPE still doesn't work please upload the whole nsclient.ini file as well as nsclient.log file from the windows server.

[rjmon]

Even though i have two nagios xi but i only working on one. because the other one is in use. I am uploading those files through PM.

[npolovenko]

@rjmon, I received and shared the ncslient.ini file with our techs. Would you be able to send a nsclient.log as well? It's in the same directory as nsclient.ini

Code: Select all

C:\Program Files\NSClient++

To make things faster you could open a support ticket with our team https://support.nagios.com/tickets/
They'll be able to gather all information and fix your issue during a remote session.



**Log file was received and shared with the support team.

[rjmon]

i did uploaded nsclient.log as well.. Maybe it is not failed to upload.. I will post it again

[rjmon]

uploaded the file.. i have to truncate part of it due to the size

[dwhitfield]

I would suggest submitting a ticket at https://support.nagios.com/tickets/ so we can take a closer look at the issue.

[rjmon]

I would suggest submitting a ticket at https://support.nagios.com/tickets/ so we can take a closer look at the issue.

I submitted a ticket for this.