Could not complete SSL handshake (check_nrpe is fine)

[hazmat]

In nrpe.cfg I have, for example:

Code: Select all

command[check_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$

In the cfg on the nagios server I have:

Code: Select all

check_command                   check_nrpe!check_disk!20%!10%!/var

Is there any problem here?

[lmiltchev]

You need to pass the "-a" flag with nrpe to pass the arguments. The way you have it set up it's not going to work. I would suggest:

On the client:

Code: Select all

command[check_disk]=/usr/local/nagios/libexec/check_disk $ARG1$

In Nagios:

Code: Select all

check_command                   check_nrpe!check_disk!-a '-w 20% -c 10% -p /var'

[hazmat]

Thanks, but that made no difference in nrpe reporting "Error: Could not complete SSL handshake", but changed the Status Information in the Nagios web console from "CHECK_NRPE: Error receiving data from daemon." to "(No output returned from plugin)".

[lmiltchev]

Did you restart xinetd after modifying the nrpe.cfg on the client?

[abrist]

"(No output returned from plugin)".

This error is usually returned by the agent, and can imply a missing plugin, a bad path, or bad permissions. Can you show us a listing of the following directory on the remote host:

Code: Select all

ls -la /usr/local/nagios/libexec

Additionally, you will need to enable:

Code: Select all

dont_blame_nrpe=1

In the remote host's nrpe.cfg in order to pass arguments.
If you can check the version number of nrpe remotely, then the networking side of things is currently working. You most likely have issues with the command definitions, or with the nrpe.cfg on the remote host.
In fact, I you get a chance, post your remote host's nrpe.cfg as an attachment or in code wraps and we will take a look.

[hazmat]

Thanks. xinetd was restarted. Everything in /usr/local/nagios/libexec is 755, nagios:nagios.

nrpe.cfg is attached. The only two commands not commented out at the bottom are two I was playing with.

Thanks again.

[abrist]

Have you added the sudoer line? I ask because you have declared the following in your nrpe.cfg:

Code: Select all

command_prefix=/usr/bin/sudo 

If you do not need escalated privileges, I suggest you comment out the line and restart nrpe/xinetd.

Code: Select all

#command_prefix=/usr/bin/sudo 

[hazmat]

I did add sudo privileges to user nagios, just in case, but also just commented that out and restarted xinetd. No change, though.

[abrist]

Alright, lets walk through all of this one more time.
From the remote host, in the libexec directory:

Code: Select all

./check_nrpe -H localhost
./check_disk -w 20% -c 10% -p /var

From the nagios server:

Code: Select all

./check_nrpe -H <remote host ip>
./check_nrpe -H <remote host ip> -c check_disk
./check_nrpe -H <remote host ip> -c check_disk -a '-w 20% -c 10% -p /var'

[hazmat]

Thanks so much for staying on this.

On remote host:

$ ./check_nrpe -H localhost
NRPE v2.12

./check_disk -w 20% -c 10% -p /var
DISK OK - free space: /var 5143 MB (68% inode=99%);| /var=2382MB;6348;7141;0;7935


On nagios server:

# ./check_nrpe -H <IP>
NRPE v2.12

# ./check_nrpe -H <IP> -c check_disk
check_disk: Could not parse arguments
Usage: check_disk -w limit -c limit [-W limit] [-K limit] {-p path | -x device}
[-C] [-E] [-e] [-g group ] [-k] [-l] [-M] [-m] [-R path ] [-r path ]
[-t timeout] [-u unit] [-v] [-X type]

# ./check_nrpe -H <P> -c check_disk -a '-w 20% -c 10% -p /var'
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

From the remote server log:

Mar 26 14:16:32 xinetd[12968]: START: nrpe pid=19778 from=<IP>
Mar 26 14:16:32 nrpe[19778]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Mar 26 14:16:32 nrpe[19778]: Error: Request contained command arguments!
Mar 26 14:16:32 nrpe[19778]: Client request was invalid, bailing out...
Mar 26 14:16:32 xinetd[12968]: EXIT: nrpe status=0 pid=19778 duration=0(sec)

Does this mean that the nrpe I have wasn't built to allow arguments? As I said, this is a production server where I cannot have a compiler on unfortunately.