;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
;)
Problem Description
This KB article addresses the following NRPE error:
CHECK_NRPE: Error - Could Not Complete SSL Handshake
The NRPE client may also log messages similar to the following in SYSLOG:
Dec 11 09:08:14 centos19 xinetd[2567]: FAIL: nrpe address from=2001:44b8:3132:25:be5f:f4ff:fefd:7d97
Dec 11 09:08:53 centos19 xinetd[2578]: FAIL: nrpe address from=10.25.254.5
Assumed Knowledge
The following KB article contains an explanation of how NRPE works and may need to be referenced to completely understand the problem and solution that is provided here:
NRPE - Agent and Plugin Explained
Troubleshooting The Error
This is probably the most common of all error messages and one of the first you will experience when new to NRPE. There are a few different causes of this, though the most likely one is that the Nagios XI server's IP address is not defined as being allowed to communicate with NRPE. This can be defined in one of two locations, depending if you are using xinetd as the daemon to run NRPE or if NRPE has it's own dedicated daemon. To identified which one is being used, execute the following command on the remote host:
ls -la /etc/xinetd.d/nrpe
If you get output like this, xinetd is being used and you should follow the XINETD steps below:
-rw-r--r--. 1 root root 483 Feb 22 12:23 /etc/xinetd.d/nrpe
If you get output like this, NRPE has it's own Daemon and you should follow the nrpe.cfg steps below:
ls: cannot access /etc/xinetd.d/nrpe: No such file or directory
XINETD
If you use xinetd for controlling the NRPE daemon (most people do), then you need to add the Nagios server's IP address to the xinetd NRPE configuration file /etc/xinetd.d/nrpe. Edit the file by executing the following command:
vi /etc/xinetd.d/nrpe
In this file you will find the line:
only_from = 127.0.0.1
This list is a space-delimited list. Change it to:
only_from = 127.0.0.1 <Nagios XI server ip>
With the increasing popularity of IPv6 you may also want to add the local IPv6 ::1 address to the list of only_from addresses, for example:
only_from = 127.0.0.1 ::1 <Nagios XI server ip>
You can also define the only_from directive over multiple lines by using += for each consecutive line, for example:
only_from = 127.0.0.1
only_from += ::1
only_from += <Nagios XI server ip>
Remember to change <Nagios XI server ip> to your actual Nagios XI server IP address. One thing to note is that 127.0.0.1 should remain as it allows you to troubleshoot NRPE issues locally (and so does ::1). After you have made the following changes, restart the xinetd service on the remote host (this example may be different to your operating system distribution):
service xinetd restart
NRPE.CFG
If you use a dedicated daemon for NRPE, then you need to add the Nagios server's IP address to the nrpe.cfg configuration file /usr/local/nagios/etc/nrpe.cfg. Edit the file by executing the following command:
vi /usr/local/nagios/etc/nrpe.cfg
In this file you will find the line:
allowed_hosts=127.0.0.1
This list is a comma-delimited list. Change it to:
allowed_hosts=127.0.0.1,<Nagios XI server ip>
Remember to change <Nagios XI server ip> to your actual Nagios XI server IP address. One thing to note is that 127.0.0.1 should remain as it allows you to troubleshoot NRPE issues locally. After you have made the following changes, restart the xinetd service on the remote host (this example may be different to your operating system distribution):
service nrpe restart
SSL Not Compiled In:
Another cause of SSL issues is that NRPE was not compiled with ssl enabled. To recompile NRPE with ssl support, browse to your NRPE source directory (usually in /tmp/nrpe-2.15 if you followed the compiling NRPE from source document) and re-compile using the --enable-ssl flag:
cd /tmp/nrpe-2.14
./configure --enable-ssl
make all
make install
Understand that if you installed from a corporate build or from a package repo, you may have either uninstall the current NRPE package and install from source. You may need to pursue support on the specific distribution's forums or through Nagios support. The following link has detailed instructions on compiling NRPE from source:
https://support.nagios.com/kb/article.php?id=515
Xinetd Per Source Limit:
This cause is rare, but worth mentioning. If you use your remote host's NRPE server as a NRPE node proxy (sending all checks for the network segment to a single NRPE enabled server behind a firewall), or if you are doing a large number of NRPE checks in relatively short time period on one remote host, you may hit the maximum connection limit of NRPE. This is technically an xinetd setting and can be uncapped by editing the file /etc/xinetd.d/nrpeon your remote host:
nano /etc/xinetd.d/nrpe
Add the following line to the file inside the closing "}":
per_source = UNLIMITED
instances = UNLIMITED
And then restart XINETD with the following command (this example may be different to your operating system distribution):
service xinetd restart
Final Thoughts
For any support related questions please visit the Nagios Support Forums at:
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word
