Nagios Support Forum

Hello,

I am receiving the CHECK_NRPE: Error - Could not complete SSL handshake error. Here is the background and how I have tried to resolve it.

I have Nagios version 3.3.1 running on ip 192.168.10.11. Everything is great, no errors.
I setup a new Nagios on ip 192.168.5.41. CHECK_NRPE: Error - Could not complete SSL handshake from all hosts. All servers are on the 192.168.10.x subnet.
Currently both are running, one is getting the error, the other is not.

Initially, I setup the new Nagios from a distribution using yum which installed version 3.2. I then uninstalled that and manually installed Nagios 3.5. No difference.

I have followed the steps outlined in this doc http://assets.nagios.com/downloads/nagi ... utions.pdf

I have added the new server to the xinetd/nrpe file. I have made the connections unlimited. I have recompiled the nrpe plugin using ssl.

I have tested nmap on port 5666 from both servers with no difference.

check_nrpe from old server results in NRPE v2.12 (although I did reinstall the client with 2.14, or tired to anyway).
check_nrpe from new server results in the SSL handshake error. Using the -n results in CHECK_NRPE: Error receiving data from daemon.

I'm at a complete loss. This stinks of a firewall issue, but I am certain that there is no blockage between these two subnets. SSH works as an example and is being monitored successfully by both systems.

Any help would be greatly appreciated.

Rgds,

Paul

Can you run the following on both of the servers so we can compare Also, I assume you added the new servers IP to the only_from field in /etc/xinetd.d/nrpe on the remote machine right?

Yes. I have added the allowed_hosts and only_from_hosts (both servers are in both locations) although I realize that with xinetd the nrpe.cfg is ignored. I figured it couldn't hurt.

I also ran this on the remote client and clearly see now that the new server is on a newer nrpe version. I am going to try to downgrade that to 2.12, unless that will not make a difference.

Remote client
[root@bigtank home]# /usr/local/nagios/bin/nrpe|head -8

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

Old (good) server
[root@professorx ~]# /usr/local/nagios/bin/nrpe|head -8

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

[root@professorx ~]# /usr/local/nagios/libexec/check_nrpe|head -8
Incorrect command line arguments supplied

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.12
Last Modified: 03-10-2008
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

New (bad) server:
[root@utility var]# /usr/local/nagios/bin/nrpe|head -8

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.14
Last Modified: 12-21-2012
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available
[root@utility var]# /usr/local/nagios/libexec/check_nrpe|head -8
Incorrect command line arguments supplied

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.14
Last Modified: 12-21-2012
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

Update:

I went the other way and upgraded the remote host nrpe to 2.14. No difference. Old server still works. New server still errors.

Remote:
[root@bigtank nrpe-2.14]# /usr/local/nagios/bin/nrpe|head -8

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.14
Last Modified: 12-21-2012
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available

Are you using TCP Wrappers? Do you have a line that says:
in the "/etc/hosts.allow" file?

No. There is nothing in the /etc/hosts.allow file (all commented out).

Did you restart the daemon after making changes in "/etc/xinetd.d/nrpe" on the client? If you haven't done this - add the nagios server's IP to the "only_from line", for example:

only_from = 127.0.0.1 192.168.x.x

Then restart the daemon: Test if NRPE works locally on the client: You should see: If that's successful, run a check from your new nagios server against the client: You should see: If it fails again, try telneting to the client: Note: You can also use nc:

I think you've found it. Telnet port 5666 from new server gets dropped by the remote server. Telnet from old server stays connected. I think the traffic is getting blocked on the way back. Checking FW config now. Nmap shows port is open but doesn't expect return traffic. Thanks. I will update if/when resolved.

Haha on me. So it wasn't the firewall.

The monitoring server (which I'm not proud to say I setup) is dual-homed. It has an interface on the 10.x network and all traffic to the remote servers are naturally using that interface. So, adding the 5.41 to the only_from_hosts did nothing. But adding the proper 10.39 fixed all.

facepalm.

Thanks for your help. I'm about to install thold so I'll probably be back.

Cheers,

Paul