Page 1 of 3
Error: Could not complete SSL handshake
Posted: Fri Aug 07, 2015 2:07 pm
by gormank
I get the following on all my Nagios servers all the time:
Aug 7 18:36:18 cocsm2mlnag001 nrpe[32582]: Error: Could not complete SSL handshake. 5
Aug 7 18:37:08 cocsm2mlnag001 nrpe[575]: Error: Could not complete SSL handshake. 5
Aug 7 18:41:18 cocsm2mlnag001 nrpe[2931]: Error: Could not complete SSL handshake. 5
Aug 7 18:42:08 cocsm2mlnag001 nrpe[3388]: Error: Could not complete SSL handshake. 5
Aug 7 18:46:18 cocsm2mlnag001 nrpe[6048]: Error: Could not complete SSL handshake. 5
Aug 7 18:47:08 cocsm2mlnag001 nrpe[6498]: Error: Could not complete SSL handshake. 5
Aug 7 18:51:18 cocsm2mlnag001 nrpe[8786]: Error: Could not complete SSL handshake. 5
Aug 7 18:52:08 cocsm2mlnag001 nrpe[9236]: Error: Could not complete SSL handshake. 5
Obviously, its nrpe, and according to the troubleshooting guide NRPE-Troubleshooting-and-Common-Solutions.pdf it means I'm missing an allowed host in /etc/xinetd.d/nrpe.
Here's an nrpe file from one of the Nagios servers. I use the same file on each server whether its a Nagios server or a monitored server.
[root@cocsm2mlnag001 ~]# cat /etc/xinetd.d/nrpe
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_success =
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 10.133.134.84 10.133.134.85 10.136.243.84 10.136.243.85
}
I'd guess its some monitored server(s) but there's no indication of which or alerts. I've looked at the nrpe file on the servers and it looks fine...
Any clues, or am I headed in the wrong (or right) direction?
Thanks!
Re: Error: Could not complete SSL handshake
Posted: Sat Aug 08, 2015 5:02 pm
by jdalrymple
My first suggestion is to make sure you're even launching using inetd and not just running as a daemon.
If you get back something like
Code: Select all
/usr/local/nagios/bin/nagios -c nrpe.cfg -d
(the -d at the end being the important part)
it means you're running as standalone daemon, in which case "allowed_hosts" in nrpe.cfg is what matters, not only_from in your inetd configuration.
Re: Error: Could not complete SSL handshake
Posted: Mon Aug 10, 2015 3:08 pm
by gormank
It seems that w/ 100 hosts and the frequency of the error, the problem isn't that its running differently than I expect.
[root@txslm2mlnag001 services]# ps -ef | grep nrpe
root 5822 20117 0 20:08 pts/0 00:00:00 grep nrpe
[root@txslm2mlnag001 services]#
Re: Error: Could not complete SSL handshake
Posted: Mon Aug 10, 2015 3:52 pm
by jdalrymple
I think I mostly misunderstood the question/symptom.
Typically when you're check_nrpe localhosting and you see that error it's because you're resolving IPv6. The simple solution is to make sure to use 127.0.0.1 for your hostaddress, the more convoluted being disable IPv6. I've never tried a v6 IP in xinetd, although I'm (somewhat) sure that would work too?
Re: Error: Could not complete SSL handshake
Posted: Tue Aug 11, 2015 3:15 pm
by gormank
IPv6 should be disabled, but maybe I need to look into how disabled it actually is.
I have no localhost hosts defined in Nagios. That is, in my list of servers to monitor, there are none named localhost or using 127.0.0.1.
The servers whose syslog is logging this are the nagios servers, not the servers nagios is monitoring. That said, nagios monitors itself (txslm2mlnag001 is monitoring txslm2mlnag001). Maybe that's the problem? Additionally, txslm2mlnag001 monitors cocsm2mlnag001, located in another state.
I have 2 sites, each w/ 2 nagios servers--a primary and failover. I'm hoping to get rid of the failovers after switching to vmware FT.
My understanding is that nagios (or nrpe) on the nagios server talks to nrpe on a remote server telling it to run checks periodically. I guessed a remote couldn't be reached, but maybe I need a lesson in exactly how nagios tells the remote agent to run a check...
Re: Error: Could not complete SSL handshake
Posted: Tue Aug 11, 2015 4:55 pm
by lmiltchev
Run the following commands on all of your Nagios XI servers and show the output:
Code: Select all
hostname
netstat -an | grep 5666
grep only_from /etc/xinetd.d/nrpe
/usr/local/nagios/bin/nrpe
Re: Error: Could not complete SSL handshake
Posted: Tue Aug 11, 2015 5:36 pm
by gormank
Code: Select all
[root@txslm2mlnag001 windows]# hostname
txslm2mlnag001
[root@txslm2mlnag001 windows]# netstat -an | grep 5666
tcp 0 0 10.133.134.84:33932 10.133.134.36:5666 TIME_WAIT
tcp 0 0 10.133.134.84:34436 10.133.134.117:5666 TIME_WAIT
tcp 0 0 10.133.134.84:47120 10.133.134.53:5666 TIME_WAIT
tcp 0 0 10.133.134.84:50455 10.133.134.30:5666 TIME_WAIT
tcp 0 0 10.133.134.84:38213 10.133.134.24:5666 TIME_WAIT
tcp 0 0 10.133.134.84:42117 10.133.134.89:5666 TIME_WAIT
tcp 0 0 10.133.134.84:57488 10.133.134.54:5666 TIME_WAIT
tcp 0 0 10.133.134.84:39278 10.133.134.84:5666 TIME_WAIT
tcp 0 0 10.133.134.84:42777 10.133.134.33:5666 TIME_WAIT
tcp 0 0 10.133.134.84:50327 10.133.134.23:5666 TIME_WAIT
tcp 0 0 10.133.134.84:35555 10.133.134.17:5666 TIME_WAIT
tcp 0 0 10.133.134.84:53340 10.133.134.116:5666 TIME_WAIT
tcp 0 0 10.133.134.84:46522 10.133.134.37:5666 TIME_WAIT
tcp 0 0 10.133.134.84:43348 10.133.134.85:5666 TIME_WAIT
tcp 0 0 10.133.134.84:47041 10.133.134.53:5666 TIME_WAIT
tcp 0 0 10.133.134.84:46428 10.133.134.37:5666 TIME_WAIT
tcp 0 0 10.133.134.84:50365 10.133.134.30:5666 TIME_WAIT
tcp 0 0 10.133.134.84:42212 10.133.134.89:5666 TIME_WAIT
tcp 0 0 10.133.134.84:43272 10.133.134.85:5666 TIME_WAIT
tcp 0 0 10.133.134.84:35648 10.133.134.17:5666 TIME_WAIT
tcp 0 0 10.133.134.84:39356 10.133.134.84:5666 TIME_WAIT
tcp 0 0 10.133.134.84:50392 10.133.134.23:5666 TIME_WAIT
tcp 0 0 10.133.134.84:42843 10.133.134.33:5666 TIME_WAIT
tcp 0 0 10.133.134.84:50391 10.133.134.30:5666 TIME_WAIT
tcp 0 0 10.133.134.84:57583 10.133.134.54:5666 TIME_WAIT
tcp 0 0 10.133.134.84:45167 10.133.134.31:5666 TIME_WAIT
tcp 0 0 :::5666 :::* LISTEN
[root@txslm2mlnag001 windows]# grep only_from /etc/xinetd.d/nrpe
only_from = 127.0.0.1 10.133.134.84 10.133.134.85 10.136.243.84 10.136.243.85
[root@txslm2mlnag001 windows]# /usr/local/nagios/bin/nrpe
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
** Read the NRPE SECURITY file for more information **
***************************************************************
***************************************************************
** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **
** Read the NRPE SECURITY file for more information **
***************************************************************
Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>
Options:
-n = Do not use SSL
<config_file> = Name of config file to use
-4 = use ipv4 only
-6 = use ipv6 only
<mode> = One of the following operating modes:
-i = Run as a service under inetd or xinetd
-d = Run as a standalone daemon
-d -s = Run as a subsystem under AIX
Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios. It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.
Code: Select all
[root@cocsm2mlnag001 ~]# hostname
cocsm2mlnag001
[root@cocsm2mlnag001 ~]# netstat -an | grep 5666
tcp 0 0 10.136.243.84:33675 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.84:49012 10.136.243.44:5666 TIME_WAIT
tcp 0 0 10.136.243.84:58119 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.84:33674 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.84:49853 10.136.243.94:5666 TIME_WAIT
tcp 0 0 10.136.243.84:33744 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.84:59487 10.136.243.116:5666 TIME_WAIT
tcp 0 0 10.136.243.84:38424 10.136.243.23:5666 TIME_WAIT
tcp 0 0 10.136.243.84:41295 10.136.243.52:5666 TIME_WAIT
tcp 0 0 10.136.243.84:58222 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.84:43760 10.136.243.89:5666 TIME_WAIT
tcp 0 0 10.136.243.84:52282 10.136.243.25:5666 TIME_WAIT
tcp 0 0 10.136.243.84:49015 10.136.243.44:5666 TIME_WAIT
tcp 0 0 10.136.243.84:55139 10.136.243.56:5666 TIME_WAIT
tcp 0 0 10.136.243.84:33723 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.84:46669 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.84:58124 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.84:35020 10.136.243.24:5666 TIME_WAIT
tcp 0 0 10.136.243.84:46841 10.136.243.36:5666 TIME_WAIT
tcp 0 0 :::5666 :::* LISTEN
[root@cocsm2mlnag001 ~]# grep only_from /etc/xinetd.d/nrpe
only_from = 127.0.0.1 10.133.134.84 10.133.134.85 10.136.243.84 10.136.243.85
[root@cocsm2mlnag001 ~]# /usr/local/nagios/bin/nrpe
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
** Read the NRPE SECURITY file for more information **
***************************************************************
***************************************************************
** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **
** Read the NRPE SECURITY file for more information **
***************************************************************
Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>
Options:
-n = Do not use SSL
<config_file> = Name of config file to use
-4 = use ipv4 only
-6 = use ipv6 only
<mode> = One of the following operating modes:
-i = Run as a service under inetd or xinetd
-d = Run as a standalone daemon
-d -s = Run as a subsystem under AIX
Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios. It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.
Code: Select all
[root@txslm2mlnag002 ~]# hostname
txslm2mlnag002
[root@txslm2mlnag002 ~]# netstat -an | grep 5666
tcp 0 0 10.133.134.85:43842 10.133.134.85:5666 TIME_WAIT
tcp 0 0 10.133.134.85:58691 10.133.134.36:5666 TIME_WAIT
tcp 0 0 10.133.134.85:34367 10.133.134.52:5666 TIME_WAIT
tcp 0 0 10.133.134.85:54858 10.133.134.33:5666 TIME_WAIT
tcp 0 0 10.133.134.85:51623 10.133.134.56:5666 TIME_WAIT
tcp 0 0 10.133.134.85:42306 10.133.134.22:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50207 10.133.134.31:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50349 10.133.134.31:5666 TIME_WAIT
tcp 0 0 10.133.134.85:55361 10.133.134.32:5666 TIME_WAIT
tcp 0 0 10.133.134.85:42387 10.133.134.22:5666 TIME_WAIT
tcp 0 0 10.133.134.85:45238 10.133.134.25:5666 TIME_WAIT
tcp 0 0 10.133.134.85:51676 10.133.134.56:5666 TIME_WAIT
tcp 0 0 10.133.134.85:51667 10.133.134.54:5666 TIME_WAIT
tcp 0 0 10.133.134.85:43920 10.133.134.85:5666 TIME_WAIT
tcp 0 0 10.133.134.85:54943 10.133.134.116:5666 TIME_WAIT
tcp 0 0 10.133.134.85:59868 10.133.134.84:5666 TIME_WAIT
tcp 0 0 10.133.134.85:60017 10.133.134.55:5666 TIME_WAIT
tcp 0 0 10.133.134.85:55243 10.133.134.32:5666 TIME_WAIT
tcp 0 0 10.133.134.85:59949 10.133.134.84:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50814 10.133.134.24:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50816 10.133.134.24:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50723 10.133.134.24:5666 TIME_WAIT
tcp 0 0 10.133.134.85:40932 10.133.134.89:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50232 10.133.134.31:5666 TIME_WAIT
tcp 0 0 10.133.134.85:41435 10.133.134.93:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50354 10.133.134.31:5666 TIME_WAIT
tcp 0 0 10.133.134.85:52276 10.133.134.117:5666 TIME_WAIT
tcp 0 0 10.133.134.85:51675 10.133.134.56:5666 TIME_WAIT
tcp 0 0 10.133.134.85:42626 10.133.134.57:5666 TIME_WAIT
tcp 0 0 10.133.134.85:51711 10.133.134.54:5666 TIME_WAIT
tcp 0 0 10.133.134.85:50209 10.133.134.31:5666 TIME_WAIT
tcp 0 0 10.133.134.85:45346 10.133.134.25:5666 TIME_WAIT
tcp 0 0 10.133.134.85:35964 10.133.134.53:5666 TIME_WAIT
tcp 0 0 :::5666 :::* LISTEN
[root@txslm2mlnag002 ~]# grep only_from /etc/xinetd.d/nrpe
only_from = 127.0.0.1 10.133.134.84 10.133.134.85 10.136.243.84 10.136.243.85
[root@txslm2mlnag002 ~]# /usr/local/nagios/bin/nrpe
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
** Read the NRPE SECURITY file for more information **
***************************************************************
***************************************************************
** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **
** Read the NRPE SECURITY file for more information **
***************************************************************
Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>
Options:
-n = Do not use SSL
<config_file> = Name of config file to use
-4 = use ipv4 only
-6 = use ipv6 only
<mode> = One of the following operating modes:
-i = Run as a service under inetd or xinetd
-d = Run as a standalone daemon
-d -s = Run as a subsystem under AIX
Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios. It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.
Code: Select all
[root@cocsm2mlnag002 ~]# hostname
cocsm2mlnag002
[root@cocsm2mlnag002 ~]# netstat -an | grep 5666
tcp 0 0 10.136.243.85:38191 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.85:58176 10.136.243.89:5666 TIME_WAIT
tcp 0 0 10.136.243.85:39407 10.136.243.93:5666 TIME_WAIT
tcp 0 0 10.136.243.85:46925 10.136.243.36:5666 TIME_WAIT
tcp 0 0 10.136.243.85:51593 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36467 10.136.243.25:5666 TIME_WAIT
tcp 0 0 10.136.243.85:39465 10.136.243.93:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53573 10.136.243.45:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53472 10.136.243.37:5666 TIME_WAIT
tcp 0 0 10.136.243.85:58160 10.136.243.89:5666 TIME_WAIT
tcp 0 0 10.136.243.85:40811 10.136.243.84:5666 TIME_WAIT
tcp 0 0 10.136.243.85:39390 10.136.243.93:5666 TIME_WAIT
tcp 0 0 10.136.243.85:50789 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.85:52667 10.136.243.53:5666 TIME_WAIT
tcp 0 0 10.136.243.85:40126 10.136.243.92:5666 TIME_WAIT
tcp 0 0 10.136.243.85:58941 10.136.243.116:5666 TIME_WAIT
tcp 0 0 10.136.243.85:50804 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36751 10.136.243.23:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36652 10.136.243.25:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53996 10.136.243.57:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36583 10.136.243.25:5666 TIME_WAIT
tcp 0 0 10.136.243.85:49587 10.136.243.43:5666 TIME_WAIT
tcp 0 0 10.136.243.85:39316 10.136.243.93:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53680 10.136.243.45:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53429 10.136.243.37:5666 TIME_WAIT
tcp 0 0 10.136.243.85:52598 10.136.243.53:5666 TIME_WAIT
tcp 0 0 10.136.243.85:51538 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.85:52650 10.136.243.53:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36522 10.136.243.25:5666 TIME_WAIT
tcp 0 0 10.136.243.85:37582 10.136.243.85:5666 TIME_WAIT
tcp 0 0 10.136.243.85:37682 10.136.243.85:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36218 10.136.243.22:5666 TIME_WAIT
tcp 0 0 10.136.243.85:38130 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.85:42467 10.136.243.44:5666 TIME_WAIT
tcp 0 0 10.136.243.85:42495 10.136.243.44:5666 TIME_WAIT
tcp 0 0 10.136.243.85:58336 10.136.243.89:5666 TIME_WAIT
tcp 0 0 10.136.243.85:54240 10.136.243.24:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36354 10.136.243.22:5666 TIME_WAIT
tcp 0 0 10.136.243.85:38209 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53638 10.136.243.45:5666 TIME_WAIT
tcp 0 0 10.136.243.85:50746 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.85:34444 10.136.243.52:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36714 10.136.243.23:5666 TIME_WAIT
tcp 0 0 10.136.243.85:34367 10.136.243.52:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36747 10.136.243.23:5666 TIME_WAIT
tcp 0 0 10.136.243.85:54092 10.136.243.57:5666 TIME_WAIT
tcp 0 0 10.136.243.85:54252 10.136.243.24:5666 TIME_WAIT
tcp 0 0 10.136.243.85:48995 10.136.243.56:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36250 10.136.243.22:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36576 10.136.243.23:5666 TIME_WAIT
tcp 0 0 10.136.243.85:40660 10.136.243.84:5666 TIME_WAIT
tcp 0 0 10.136.243.85:41112 10.136.243.117:5666 TIME_WAIT
tcp 0 0 10.136.243.85:40594 10.136.243.84:5666 TIME_WAIT
tcp 0 0 10.136.243.85:38156 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.85:58257 10.136.243.89:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53575 10.136.243.37:5666 TIME_WAIT
tcp 0 0 10.136.243.85:52575 10.136.243.53:5666 TIME_WAIT
tcp 0 0 10.136.243.85:39331 10.136.243.93:5666 TIME_WAIT
tcp 0 0 10.136.243.85:49398 10.136.243.43:5666 TIME_WAIT
tcp 0 0 10.136.243.85:52520 10.136.243.53:5666 TIME_WAIT
tcp 0 0 10.136.243.85:50919 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.85:41163 10.136.243.117:5666 TIME_WAIT
tcp 0 0 10.136.243.85:58942 10.136.243.116:5666 TIME_WAIT
tcp 0 0 10.136.243.85:54341 10.136.243.24:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36307 10.136.243.22:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53631 10.136.243.45:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36334 10.136.243.22:5666 TIME_WAIT
tcp 0 0 10.136.243.85:54399 10.136.243.24:5666 TIME_WAIT
tcp 0 0 10.136.243.85:34326 10.136.243.52:5666 TIME_WAIT
tcp 0 0 10.136.243.85:51576 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.85:34985 10.136.243.17:5666 TIME_WAIT
tcp 0 0 10.136.243.85:49426 10.136.243.43:5666 TIME_WAIT
tcp 0 0 10.136.243.85:37686 10.136.243.85:5666 TIME_WAIT
tcp 0 0 10.136.243.85:50726 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.85:50685 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53643 10.136.243.37:5666 TIME_WAIT
tcp 0 0 10.136.243.85:40100 10.136.243.92:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36520 10.136.243.23:5666 TIME_WAIT
tcp 0 0 10.136.243.85:39332 10.136.243.93:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53673 10.136.243.45:5666 TIME_WAIT
tcp 0 0 10.136.243.85:37492 10.136.243.85:5666 TIME_WAIT
tcp 0 0 10.136.243.85:53658 10.136.243.37:5666 TIME_WAIT
tcp 0 0 10.136.243.85:50904 10.136.243.42:5666 TIME_WAIT
tcp 0 0 10.136.243.85:41117 10.136.243.117:5666 TIME_WAIT
tcp 0 0 10.136.243.85:40161 10.136.243.92:5666 TIME_WAIT
tcp 0 0 10.136.243.85:46980 10.136.243.36:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36219 10.136.243.22:5666 TIME_WAIT
tcp 0 0 10.136.243.85:51741 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.85:46977 10.136.243.36:5666 TIME_WAIT
tcp 0 0 10.136.243.85:34518 10.136.243.52:5666 TIME_WAIT
tcp 0 0 10.136.243.85:36333 10.136.243.22:5666 TIME_WAIT
tcp 0 0 10.136.243.85:41032 10.136.243.117:5666 TIME_WAIT
tcp 0 0 10.136.243.85:49066 10.136.243.56:5666 TIME_WAIT
tcp 0 0 10.136.243.85:51620 10.136.243.55:5666 TIME_WAIT
tcp 0 0 10.136.243.85:49067 10.136.243.56:5666 TIME_WAIT
tcp 0 0 10.136.243.85:42393 10.136.243.44:5666 TIME_WAIT
tcp 0 0 10.136.243.85:38184 10.136.243.54:5666 TIME_WAIT
tcp 0 0 10.136.243.85:41076 10.136.243.117:5666 TIME_WAIT
tcp 0 0 10.136.243.85:49465 10.136.243.43:5666 TIME_WAIT
tcp 0 0 :::5666 :::* LISTEN
[root@cocsm2mlnag002 ~]# grep only_from /etc/xinetd.d/nrpe
only_from = 127.0.0.1 10.133.134.84 10.133.134.85 10.136.243.84 10.136.243.85
[root@cocsm2mlnag002 ~]# /usr/local/nagios/bin/nrpe
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
** Read the NRPE SECURITY file for more information **
***************************************************************
***************************************************************
** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **
** Read the NRPE SECURITY file for more information **
***************************************************************
Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>
Options:
-n = Do not use SSL
<config_file> = Name of config file to use
-4 = use ipv4 only
-6 = use ipv6 only
<mode> = One of the following operating modes:
-i = Run as a service under inetd or xinetd
-d = Run as a standalone daemon
-d -s = Run as a subsystem under AIX
Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios. It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.
Re: Error: Could not complete SSL handshake
Posted: Wed Aug 12, 2015 1:42 am
by Box293
I've cross checked all that information and it looks correct.
Do you have a Nagios test & dev server that is possibly not one of these IP Addresses?
gormank wrote:I get the following on all my Nagios servers all the time:
Aug 7 18:36:18 cocsm2mlnag001 nrpe[32582]: Error: Could not complete SSL handshake. 5
Aug 7 18:37:08 cocsm2mlnag001 nrpe[575]: Error: Could not complete SSL handshake. 5
I'd guess its some monitored server(s) but there's no indication of which or alerts. I've looked at the nrpe file on the servers and it looks fine...
From my understanding, these events are when incoming NRPE requests do not succeed. So it has to be one of the other Nagios servers contacting this nagios server and for some reason isn't allowed.
My question is, on each Nagios server, in the tactical overview, do you see any services that are in a critical or unknown state that reflect this error message?
We can turn on NRPE debugging to collect more information.
Edit the file:
/usr/local/nagios/etc/nrpe.cfg
Define
debug=1
(it will currently be debug=0)
Save the file and
Now we need to add an option to the rsyslog server so it processes debug messages
Edit the file:
/etc/rsyslogd.conf
Find /var/log/messages
The line in the config file will look like:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
We need to add the following to the line:
*.info;mail.none;authpriv.none;cron.none
;daemon.debug /var/log/messages
Save the file and
Now there should be more information logged in /var/log/messages
Re: Error: Could not complete SSL handshake
Posted: Wed Aug 12, 2015 10:52 am
by gormank
There are no alerts about SSL handshake or anything else on any of the 4 Nagios servers.
Unfortunately, I have no test servers at this time.
Adding the debug just adds the SSL/TLS line to the log.
Aug 12 15:46:19 txslm2mlnag001 nrpe[31934]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:46:25 txslm2mlnag001 nrpe[32026]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:46:49 txslm2mlnag001 nrpe[32111]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:46:55 txslm2mlnag001 nrpe[32160]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:47:27 txslm2mlnag001 nrpe[32422]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:47:27 txslm2mlnag001 nrpe[32422]: Error: Could not complete SSL handshake. 5
Aug 12 15:47:29 txslm2mlnag001 nrpe[32429]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:47:29 txslm2mlnag001 nrpe[32429]: Error: Could not complete SSL handshake. 5
Aug 12 15:47:49 txslm2mlnag001 nrpe[32498]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:47:53 txslm2mlnag001 nrpe[32513]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:48:23 txslm2mlnag001 nrpe[761]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Aug 12 15:48:27 txslm2mlnag001 nrpe[867]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
I can stop the errors by deactivating the server in Nagios which seems to indicate that its incoming nrpe connections to run checks on the server (rather than outgoing to request a check on some other server).
I disabled IPv6 and all that got me was another log entry I don't want to see:
Aug 12 17:51:59 txslm2mlnag001 xinetd[1575]: IPv6 socket creation failed for service nrpe, trying IPv4
Re: Error: Could not complete SSL handshake
Posted: Wed Aug 12, 2015 2:35 pm
by lmiltchev
I disabled IPv6 and all that got me was another log entry I don't want to see:
Aug 12 17:51:59 txslm2mlnag001 xinetd[1575]: IPv6 socket creation failed for service nrpe, trying IPv4
What guide/tutorial did you follow? Can you tell us what you changed on your system in order to disable IPv6?
Are you using ModGearman? I wonder if check_nrpe issue is caused by problem with ModGerman...
At this point, it seems to me that we will need to move this to our email ticketing system and possibly do a remote. Is this an option for you?