SSL_ERR 5 Error -Could not complete SSL handshake with

[valkeyr]

After upgrading Nagios XI 5.4.13 --> Nagios XI 5.5.3 NRPE checks stopped working on ALL hosts(they were working fine on version 5.4.13).

NSCLIENT.ini output;

Code: Select all

[/modules]
CheckExternalScripts = 1
CheckHelpers = 1
CheckEventLog = 1
CheckNSCP = 1
CheckDisk = 1
CheckSystem = 1
NRPEServer = 1

[/settings/eventlog]
buffer size = 131072
debug = false
lookup names = true
syntax =

[/settings/external scripts]
allow arguments = true
allow nasty characters = true
timeout = 60

[/settings/external scripts/wrappings]
bat = scripts\\%SCRIPT% %ARGS%
ps1 = cmd /c echo scripts\\%SCRIPT% %ARGS%; exit($lastexitcode) | powershell.exe -command -
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
;exe = cmd /c %SCRIPT% %ARGS%

[/settings/external scripts/alias]
;alias_cpu = checkCPU warn=80 crit=90 time=5m time=1m time=30s
;alias_cpu_ex = checkCPU warn=$ARG1$ crit=$ARG2$ time=5m time=1m time=30s
; ...skipping lines as we do provide LOT of alias for you...
;alias_updates = check_updates -warning 0 -critical 0
;alias_volumes = CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED
;alias_volumes_loose = CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED ignore-unreadable

[/settings/external scripts/scripts]
check_exchange_queue=cmd /c echo scripts\check_exchange_queue.ps1 $ARG1$ $ARG2$ $ARG3$; exit($lastexitcode) | powershell.exe -noprofile -nologo -command  -
check_complus=cscript.exe //T:30 //NoLogo scripts\check_complus.vbs $ARG1$ 
check_domain=cscript.exe //T:60 //NoLogo scripts\check_domain.vbs
check_updates=cscript.exe //T:60 //NoLogo scripts\check_windows_updates.vbs
check_pubfolders=cmd /c echo scripts\check_pubfolders.ps1; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_mbxdatabases=cmd /c echo scripts\check_mbxdatabases.ps1; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_lunusage=cmd /c echo scripts\read_lun_file.ps1 $ARG1$; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_snapshots=cmd /c echo scripts\check_snapshots.ps1 $ARG1$ $ARG2$; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_xenapp_sessions=cmd /c echo scripts\xenapp_sessions.ps1 $ARG1$ $ARG2$; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_xenapp_profit=cmd /c echo scripts\xenapp_profit.ps1; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_xenapp_desktop=cmd /c echo scripts\xenapp_desktop.ps1; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_fileshare=cmd /c echo scripts\check_cluster.ps1 $ARG1$; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_terminal_sessions=cmd /c echo scripts\terminal_sessions.ps1; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -
check_citrix_licenses=cmd /c echo scripts\citrix_licenses.ps1; exit($lastexitcode) | powershell.exe -noprofile -nologo -command -

[/settings/external scripts/wrapped scripts]
;check_updates=check_updates.vbs $ARG1$ $ARG2$

[/paths]
shared-path = C:\Program Files\NSClient++
certificate-path = ${shared-path}\security

[/settings/NRPE/server]
allow nasty characters = true
allow arguments = true
allowed hosts=172.1.1.1 ( DUMMY)
allowed ciphers = ALL:!MD5:@STRENGTH
extended response = 0
port=5666
ssl options=
insecure = true
dh=${certificate-path}/nrpe_dh_512.pem
certificate=${certificate-path}/certificate.pem
certificate format=PEM

Used all the tricks i know. Anyone had the same problem and found a solution?

[valkeyr]

We were able to reproduce the situation in a test environment. Same issue: before the upgrade everything works fine, after upgrading NRPE checks stopped working.

Included export of Nagios XI System Info (profile):

Code: Select all

Nagios XI - System Info

System

Nagios XI version: 5.5.4
XI installed from: source
XI UUID: f050291c-b495-4e76-804f-c5aad8495a4e
Release info: MON02.domain.nl 3.10.0-862.3.3.el7.x86_64 x86_64
CentOS Linux release 7.5.1804 (Core) 
Gnome is not installed
Apache Information

PHP Version: 5.4.16
Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Server Name: nagios.domain.nl
Server Address: 172.17.1.20
Server Port: 80
Date/Time

PHP Timezone: Europe/Amsterdam 
PHP Time: Wed, 26 Sep 2018 11:21:31 +0200
System Time: Wed, 26 Sep 2018 11:21:31 +0200
Nagios XI Data

License ends in: 
UUID: f050291c-b495-4e76-804f-c5aad8495a4e
Install Type: source

Sep 26 11:21:01 MON02.domain.nl sudo[6096]: nagios : TTY=unknown ; PWD=/tmp ; USER=root ; COMMAND=/usr/local/nagiosxi/scripts/manage_services.sh status mysqld
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
Sep 26 11:20:28 MON02.domain.nl ndo2db[14908]: Trimming eventhandlers.
CPU Load 15: 0.60 
Total Hosts: 3 
Total Services: 20 

Function get_base_uri() returns: http://nagios.domain.nl/nagiosxi/
Function get_base_url() returns: http://nagios.domain.nl/nagiosxi/
Function get_backend_url(internal_call=false) returns: http://nagios.domain.nl/nagiosxi/includes/components/profile/profile.php
Function get_backend_url(internal_call=true) returns: http://localhost/nagiosxi/backend/

Ping Test localhost

Running:
/bin/ping -c 3 localhost 2>&1 
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.067 ms

--- localhost ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.062/0.066/0.070/0.007 ms
Test wget To localhost

WGET From URL: http://localhost/nagiosxi/includes/components/ccm/ 
Running:
/usr/bin/wget http://localhost/nagiosxi/includes/components/ccm/ 
--2018-09-26 11:21:33-- http://localhost/nagiosxi/includes/components/ccm/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://localhost/nagiosxi/login.php?redirect=/nagiosxi/includes/components/ccm/index.php%3f&noauth=1 [following]
--2018-09-26 11:21:33-- http://localhost/nagiosxi/login.php?redirect=/nagiosxi/includes/components/ccm/index.php%3f&noauth=1
Reusing existing connection to [localhost]:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: '/usr/local/nagiosxi/tmp/ccm_index.tmp'

0K .......... .......... .... 7.44M=0.003s

2018-09-26 11:21:33 (7.44 MB/s) - '/usr/local/nagiosxi/tmp/ccm_index.tmp' saved [25433]

Network Settings

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: ens160:  mtu 1500 qdisc mq state UP group default qlen 1000

    link/ether 00:50:56:bb:17:d6 brd ff:ff:ff:ff:ff:ff

    inet 172.17.1.20/20 brd 172.17.15.255 scope global noprefixroute ens160

       valid_lft forever preferred_lft forever

    inet6 fe80::e763:b87b:bff2:4d23/64 scope link noprefixroute 

       valid_lft forever preferred_lft forever


default via 192.168.1.254 dev ens160 proto static metric 100 

172.17.0.0/20 dev ens160 proto kernel scope link src 172.17.1.20 metric 100 


Nagios XI Components

actions	2.0.1
alertcloud	1.2.1
alertstream	2.1.0
autodiscovery	2.2.5
backendapiurl	1.0.3
bandwidthreport	1.8.0
bbmap	1.2.0
birdseye	3.2.2
bulkmodifications	2.2.0
capacityplanning	2.3.0
ccm	2.7.0
custom-includes	1.0.4
customlogin	1.0.0
customlogo	1.2.0
deploydashboard	1.3.0
deploynotification	1.3.3
duo	1.0.0
escalationwizard	1.5.0
freevariabletab	1.0.1
globaleventhandler	1.2.2
graphexplorer	2.2.1
helpsystem	2.0.0
highcharts	4.0.1
homepagemod	1.1.8
hypermap	1.2.0
hypermap_replay	1.2.0
isms	1.2.3
latestalerts	1.2.6
ldap_ad_integration	1.1.0
massacknowledge	2.1.14
metrics	1.2.10
minemap	1.2.4
nagiosbpi	2.7.1
nagioscore	
nagioscorecfg	
nagiosim	2.2.6
nagiosna	1.4.0
nagiosql	
nagvis	2.0.0
nocscreen	1.1.2
nrdsconfigmanager	1.6.4
nxti	1.0.1
opscreen	1.8.0
perfdata	
pingaction	1.1.1
pnp	
profile	1.4.0
proxy	1.1.4
rdp	1.0.3
rename	1.6.0
scheduledbackups	1.2.0
scheduledreporting	
similetimeline	1.5.0
snmptrapsender	1.5.5
statusmap	1.0.2
tracerouteaction	1.1.1
usermacros	1.1.0
xicore	
Nagios XI Config Wizards

ec2	1.0.0
s3	1.0.0
autodiscovery	1.4.2
bpiwizard	1.1.4
bulkhostimport	2.0.4
digitalocean	1.0.0
google-cloud	1.0.0
linode	1.0.0
microsoft-azure	1.0.0
rackspace	1.0.0
dhcp	1.1.4
dnsquery	1.1.3
docker	1.0.1
domain_expiration	1.1.4
email-delivery	2.0.4
esensors_websensor	1.1.4
exchange	1.3.2
folder_watch	1.0.5
ftpserver	1.5.5
genericnetdevice	1.0.3
ldapserver	1.3.3
linux-server	1.5.5
linux_snmp	1.5.5
macosx	1.3.0
mailserver	1.2.4
mongodb_database	1.1.2
mongodbserver	1.1.2
mountpoint	1.0.2
mssql_database	1.6.2
mssql_query	1.6.4
mssql_server	1.9.1
mysqlquery	1.2.3
mysqlserver	1.3.3
nagioslogserver	1.0.5
nagiostats	1.2.3
nagiosxiserver	1.3.0
ncpa	2.0.1
nna	1.0.4
nrpe	1.5.2
oraclequery	1.3.3
oracleserverspace	1.5.3
oracletablespace	1.5.4
passivecheck	1.2.4
passiveobject	1.1.3
postgresdb	1.5.3
postgresquery	1.2.3
postgresserver	1.3.4
printer	1.1.3
radiusserver	2.0.1
sla	1.3.2
snmp	1.6.0
snmp_trap	1.5.3
snmpwalk	1.3.7
solaris	1.2.5
sshproxy	1.5.7
switch	2.4.0
tcpudpport	1.3.3
tftp	1.0.2
vmware	1.7.1
watchguard	1.4.5
website	1.3.0
website_defacement	1.1.5
websiteurl	1.3.7
webtransaction	1.2.5
windowseventlog	1.3.3
windowsserver	1.6.2
windowsdesktop	1.6.2
windowssnmp	1.5.2
windowswmi	2.1.0
Nagios XI Dashlets

alertcloud	
bbmap	
capacityplanning	
graphexplorer	
hypermap	
latestalerts	
metrics	
metricsguage	
minemap	
xicore_xi_news_feed	
xicore_getting_started	
xicore_admin_tasks	
xicore_eventqueue_chart	
xicore_component_status	
xicore_server_stats	
xicore_monitoring_stats	
xicore_monitoring_perf	
xicore_monitoring_process	
xicore_perfdata_chart	
xicore_host_status_summary	
xicore_service_status_summary	
xicore_comments	
xicore_hostgroup_status_overview	
xicore_hostgroup_status_grid	
xicore_servicegroup_status_overview	
xicore_servicegroup_status_grid	
xicore_hostgroup_status_summary	
xicore_servicegroup_status_summary	
xicore_available_updates	
xicore_network_outages	
xicore_network_outages_summary	
xicore_network_health	
xicore_host_status_tac_summary	
xicore_service_status_tac_summary	
xicore_feature_status_tac_summary	
availability	
custom_dashlet	1.0.5
gauges	1.2.2
googlemapdashlet	1.1.0
internettrafficreport	
rss_dashlet	1.1.0
sansrisingports	2.0
sla	
worldtimeserver	2.0.0

[skang]

Hello Valkeyr,

First, just in case you have not, please try to restart the nsclient service to see if this resolves the issue. You should be able to do this from Services under Administrative Tools.

Could you also include the contents of nsclient.log without sensitive information.

[lmiltchev]

I didn't see the following directive in the nsclient.ini file that you showed us:

Code: Select all

use ssl = 1

Do you have this line? If you don't, try adding it under the [/settings/NRPE/server] section, and restart the NSClient++ service to see if this is going to fix your problem.