Could not complete SSL handshake - NRPE 2.15 under xinetd

[cgutierr]

Hello,


I am getting a CHECK_NRPE: Error -Could not complete SSL handshake on a client running RHEL5. I have checked and double-checked all the configuration settings in /etc/xinetd.d/nrpe to make sure I have included the server and the localhost in the "only_from" line. Ran "check_nrpe -H avalon" from both the server and the localhost and it still comes up with the error. I have also stopped iptables for troubleshooting purposes. I ran NMAP on port 5666 from the server to the client and the port is open. I don't know what else to check. Any help from you guys will be greatly appreciated. Thank you.


V/R,


Christopher Gutierrez

[bwallace]

+ Nmap may show :5566 open, but could you confirm NRPE is running on the client machine?
netstat -anp|grep :5666

+ Could it be that NRPE was not compiled with ssl enabled? - refer to page 4 of https://assets.nagios.com/downloads/nag ... utions.pdf

+ How was NRPE installed? From source, repo, or from the XI agent download?

[cgutierr]

Here is what I got when doing a "netstat -anp | grep :5666":

tcp 0 0.0.0.0:5666 0.0.0.0:* LISTEN 15613/xinetd
tcp 0 <client ip>:5666 <server ip>:43190 TIME_WAIT -

I have re-ran the installation of NRPE with SSL enabled, and it still does not work.

I installed NRPE using the .tar.gz file I downloaded from your repo since the network I am using it one is disconnected from the internet.

[scottwilkerson]

Is your Nagios server listed in the only_from field of /etc/xinetd.d/nrpe on the client machine?

Code: Select all

cat /etc/xinetd.d/nrpe|grep only_from

If not, you need to add it and then restart xinetd

Code: Select all

service xinetd restart

[cgutierr]

Yes, my Nagios server is listed in the only_from field. I don't know what else could be wrong.

[scottwilkerson]

you mentioned you ran the following from both server

Code: Select all

check_nrpe -H avalon

Are we sure they can resolve "avalon"?

Can you run it using the IP address?

[cgutierr]

Yes, it also resolves with IP as well.

[Box293]

Can you please run these commands on the NRPE Client and show us the output:

Code: Select all

ps -C xinetd
ps -C nrpe

[cgutierr]

Here is the output:

[root@avalon ~]# ps -C xinetd
PID TTY TIME CMD
23025 ? 00:00:00 xinetd

[root@avalon ~]# ps -C nrpe
PID TTY TIME CMD

[lmiltchev]

I have checked and double-checked all the configuration settings in /etc/xinetd.d/nrpe to make sure I have included the server and the localhost in the "only_from" line.

Are these two IP addresses separated by a space or a comma? You haven't really showed us the output of "cat /etc/xinetd.d/nrpe|grep only_from" as requested by scottwilkerson, so it's hard to say what you have on the "only_from" line.

Have you restarted xinetd after adding the Nagios XI server's ip to to "/etc/xinetd.d/nrpe"?

Code: Select all

service xinetd restart

Is SELinux disabled? Are you using tcp wrappers? Do you have anything in the hosts.allow and/or hosts.deny?

Are you performing a large number of NRPE checks in a relatively short period of time? If this is the case, you can try adding the following two lines to "/etc/xinetd.d/nrpe" file:

Code: Select all

per_source = UNLIMITED
instances = UNLIMITED

as described here:
https://assets.nagios.com/downloads/nag ... utions.pdf

Run the following command on the Nagios XI server, and show the output:

Code: Select all

nmap <client ip> -p 5666