NRPE SSL handshake issue

youngek · Post by **youngek** » Thu Apr 13, 2017 8:06 am

MOD EDIT: this user split from https://support.nagios.com/forum/viewto ... 999#bottom

I have defined the host server on the remote server and I still get an SSL handshake issue when trying to run NRPE. All of the statuses show unknown.

Post by **tgriep** » Thu Apr 13, 2017 2:40 pm

From the install.log file from the other post, is looks like SSL was compiled in so lets try running the check_nrpe from the Nagios XI server both ways and see if one of them works.
Login to the XI server, run the following and post the output. Replace xxx.xxx.xxx.xxx with the remote server.

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H xxx.xxx.xxx.xxx
/usr/local/nagios/libexec/check_nrpe -H xxx.xxx.xxx.xxx -n

Lets see if port 5666 is open to the XI server, run this and post the output

Code: Select all

nmap xxx.xxx.xxx.xxx -p 5666

Then, on the remote system, run the following and post the output.

Code: Select all

netstat -anp |grep 5666 
/usr/local/nagios/bin/nrpe
ps -ef |grep nrpe

Post this file from the remote system.

Code: Select all

/usr/local/nagios/etc/nrpe.cfg

youngek · Post by **youngek** » Fri Apr 14, 2017 7:57 am

here are the outputs and PMed the cfg file.

Post by **tgriep** » Fri Apr 14, 2017 8:38 am

There is one error in the nrpe.cfg file. Change this from

Code: Select all

allowed_hosts=127.0.0.1,allowed_hosts=56.190.15.8

to

Code: Select all

allowed_hosts=127.0.0.1,56.190.15.8

Save the file and restart the NRPE Agent.

Code: Select all

restart nrpe

Then run these commands from the Nagios server to see if one of them work. Replace xxx.xxx.xxx.xxx with the remote servers IP.

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H xxx.xxx.xxx.xxx
/usr/local/nagios/libexec/check_nrpe -H xxx.xxx.xxx.xxx -n

Also, I need to see the output from these 2 commands that are run on the remote system

Code: Select all

/usr/local/nagios/bin/nrpe
ps -ef |grep nrpe

youngek · Post by **youngek** » Mon Apr 17, 2017 7:26 am

nrpe 27421 1 0 07:18 ? 00:00:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d
root 27443 27254 0 07:19 pts/0 00:00:00 grep nrpe

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

***************************************************************
** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **
** Read the NRPE SECURITY file for more information **
***************************************************************

***************************************************************
** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **
** Read the NRPE SECURITY file for more information **
***************************************************************

Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>

Options:
-n = Do not use SSL
<config_file> = Name of config file to use
-4 = use ipv4 only
-6 = use ipv6 only
<mode> = One of the following operating modes:
-i = Run as a service under inetd or xinetd
-d = Run as a standalone daemon
-d -s = Run as a subsystem under AIX

Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios. It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.

Post by **tgriep** » Mon Apr 17, 2017 12:16 pm

The output of the ps -ef |grep nrpe command that you ran is looks like it is not running the compiled version of the NRPE Agent from your previous post.
This of not the default path the NRPE agent gets installed to if using the NRPE Installer from the XI GUI.

Code: Select all

/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

I am guessing that the above agent is causing the issue so you should remove it and stop the daemon from running.
Then the compiled version should start up from the xinetd daemon and hopefully the NRPE Agent will start to function.

youngek · Post by **youngek** » Tue Apr 18, 2017 2:16 pm

I uninstalled the agent. I ran a check and I still get CHECK_NRPE: Error - Could not complete SSL handshake.

Post by **tgriep** » Tue Apr 18, 2017 2:31 pm

Try installing the latest version of NRPE Agent by following the instructions in the KB article below.

Code: Select all

https://support.nagios.com/kb/article.php?id=515

If you see any errors when compiling ot installing it, please post them here.

youngek · Post by **youngek** » Wed Apr 19, 2017 7:24 am

I think the problem is that I still have two versions of nrpe running. B/c I followed the install instructions from the KB and when I test nrpe I get version 2.15 instead of version 3.01. I believe this box was originally setup for Nagios Core. Also I get can not complete the ssl handshake.

Post by **tgriep** » Wed Apr 19, 2017 11:25 am

When you ran the test and received the version number, post how you ran the command and which server did you run the command on?
When you received the SSL handshake error, post how you ran the command and which server did you run the command on?
When you ran the command and received the SSL error, there should be a log entry on the server running the NRPE agent. Take a look in the /var/log/messages file to see what the error is and post that as well.

Nagios Support Forum

NRPE SSL handshake issue

NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue

Re: NRPE SSL handshake issue