Page 2 of 3
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Thu Jan 11, 2018 2:59 pm
by dwhitfield
I am really confused about what is going on. Could you help clear some things up?
First off, you posted in "Core" but are using XI version #s.
What are the OSes on the servers you are checking against? You have some xinetd stuff and some NSClient stuff. If you are having issues with Windows servers and with Linux servers I would suggest breaking those into different threads. I was thinking you were running NSClient on Linux, but your first post has all sorts of windows-specific stuff.
If you are restarting xinetd on the XI server, then that has nothing to do with anything (unless you are monitoring one XI server with the other XI server). check_nrpe on the XI server talks to nrpe on the client machine.
If this is XI, can you PM me profiles from each system? You can download a profile by going to Admin > System Config > System Profile and click the ***Download Profile*** button in the top right corner. *If* for whatever reason you cannot download the profile, please put the output of View System Info (5.3.4+, Show Profile if older). This will give us access to many of the logs we would otherwise ask for individually. If security is a concern, you can unzip the profile take out what you like, and then zip it up again. We may end up needing something you remove, but we can ask for that specifically.
You can also generate a profile manually using the script at /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
That should generate a profile in /usr/local/nagiosxi/var/components/ which you can get off the server with an application such as FileZilla.
If you get an error that PROFILE BUILD FAILED, please see
https://support.nagios.com/kb/article.p ... ategory=44
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Thu Jan 11, 2018 4:15 pm
by rjmon
is check_nrpe not part of core?
nagios server is running check_nrpe on windows client. The old nagios server successfully monitors whereas the new one it fails with the error listed in the title.
The issue is only with windows servers.
I posted both the profiles to your PM for any information on the versions.
dwhitfield wrote:I am really confused about what is going on. Could you help clear some things up?
First off, you posted in "Core" but are using XI version #s.
What are the OSes on the servers you are checking against? You have some xinetd stuff and some NSClient stuff. If you are having issues with Windows servers and with Linux servers I would suggest breaking those into different threads. I was thinking you were running NSClient on Linux, but your first post has all sorts of windows-specific stuff.
If you are restarting xinetd on the XI server, then that has nothing to do with anything (unless you are monitoring one XI server with the other XI server). check_nrpe on the XI server talks to nrpe on the client machine.
If this is XI, can you PM me profiles from each system? You can download a profile by going to Admin > System Config > System Profile and click the ***Download Profile*** button in the top right corner. *If* for whatever reason you cannot download the profile, please put the output of View System Info (5.3.4+, Show Profile if older). This will give us access to many of the logs we would otherwise ask for individually. If security is a concern, you can unzip the profile take out what you like, and then zip it up again. We may end up needing something you remove, but we can ask for that specifically.
You can also generate a profile manually using the script at /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
That should generate a profile in /usr/local/nagiosxi/var/components/ which you can get off the server with an application such as FileZilla.
If you get an error that PROFILE BUILD FAILED, please see
https://support.nagios.com/kb/article.p ... ategory=44
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Fri Jan 12, 2018 9:14 am
by rjmon
Interesting this is affecting only windows 2003 server not 2008 and above.
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Fri Jan 12, 2018 11:07 am
by npolovenko
Hello,
@rjmon.
is check_nrpe not part of core?
Yes, sure it can run on Nagios Core or Nagios XI. However, if you have two XI servers it's better to post in Nagios XI section. That will help us pick appropriate diagnosing solutions and a lot of the times similar issues can be handled differently in XI and Core.
On the Windows Server that gives you SSL handshake error, please replace the [/settings/NRPE/server] section with the following:
Code: Select all
[/settings/NRPE/server]
; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket. default-workarounds Various workarounds for what I understand to be broken ssl implementations no-sslv2 Do not use the SSLv2 protocol. no-sslv3 Do not use the SSLv3 protocol. no-tlsv1 Do not use the TLSv1 protocol. single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using "strong" primes (e.g. when using DSA-parameters).
ssl options =
; VERIFY MODE - Comma separated list of verification flags to set on the SSL socket. none The server will not send a client certificate request to the client, so the client will not send a certificate. peer The server sends a client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer. peer-cert Alias for peer and fail-if-no-cert. workarounds Various bug workarounds. single Always create a new key when using tmp_dh parameters. client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer
verify mode = none
; ALLOW INSECURE CHIPHERS and ENCRYPTION - Only enable this if you are using legacy check_nrpe client.
insecure = true
allow arguments = true
allow nasty characters = true
; ENABLE SSL ENCRYPTION - This option controls if SSL should be enabled.
use ssl = 1
; PORT NUMBER - Port to use for NRPE.
port = 5666
After that please restart NSClient++ service. If NRPE still doesn't work please upload the whole nsclient.ini file as well as nsclient.log file from the windows server.
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Fri Jan 12, 2018 11:19 am
by rjmon
Even though i have two nagios xi but i only working on one. because the other one is in use. I am uploading those files through PM.
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Fri Jan 12, 2018 1:13 pm
by npolovenko
@rjmon, I received and shared the ncslient.ini file with our techs. Would you be able to send a nsclient.log as well? It's in the same directory as nsclient.ini
To make things faster you could open a support ticket with our team
https://support.nagios.com/tickets/
They'll be able to gather all information and fix your issue during a remote session.
**Log file was received and shared with the support team.
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Fri Jan 12, 2018 2:41 pm
by rjmon
i did uploaded nsclient.log as well.. Maybe it is not failed to upload.. I will post it again
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Fri Jan 12, 2018 2:49 pm
by rjmon
uploaded the file.. i have to truncate part of it due to the size
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Fri Jan 12, 2018 3:13 pm
by dwhitfield
I would suggest submitting a ticket at
https://support.nagios.com/tickets/ so we can take a closer look at the issue.
Re: CHECK_NRPE: Error - Could not complete SSL handshake.
Posted: Tue Jan 16, 2018 10:03 am
by rjmon
I submitted a ticket for this.