NRPE cannot complete SSL handshake

[Ben Cotton]

I've set up NRPE on my syslog server so that I can make sure it is up and keep an eye on disk resources. However, the checks always fail with " CHECK_NRPE: Error - Could not complete SSL handshake." I keep finding the same troubleshooting steps on the intertubes, but I haven't been able to fix it yet:

Different versions. Make sure you are using the same version of the check_nrpe plugin and the NRPE daemon. Newer versions of NRPE are usually not backward compatible with older versions.

check_nrpe and the nrpe daemon running on the system are from the same build. The Nagios server is one version behind, but that hasn't been a problem on my other machines.

SSL is disabled. Make sure both the NRPE daemon and the check_nrpe plugin were compiled with SSL support and that neither are being run without SSL support (using command line switches).

I went back and re-compiled nrpe and check_nrpe making sure to use SSL in the configure, but no difference. ldd confirms that the binaries are linked to the SSL libraries

Code:

bash-3.2# ldd nrpe 
        linux-gate.so.1 =>  (0x40000000)
        libssl.so.6 => /lib/libssl.so.6 (0x001c7000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x00ca9000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00c0c000)
        libwrap.so.0 => /lib/libwrap.so.0 (0x00a5b000)
        libc.so.6 => /lib/libc.so.6 (0x00915000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x004d3000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00386000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x0015b000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0041e000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00deb000)
        libdl.so.2 => /lib/libdl.so.2 (0x4000a000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00b10000)
        /lib/ld-linux.so.2 (0x008f7000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00446000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0024d000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00aeb000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x00aa3000)
bash-3.2# ldd check_nrpe 
        linux-gate.so.1 =>  (0x40000000)
        libssl.so.6 => /lib/libssl.so.6 (0x001c7000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x00ca9000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00c0c000)
        libc.so.6 => /lib/libc.so.6 (0x00915000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x004d3000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00386000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x0015b000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x0041e000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00deb000)
        libdl.so.2 => /lib/libdl.so.2 (0x00a5b000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00b10000)
        /lib/ld-linux.so.2 (0x008f7000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00446000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0024d000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00aeb000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x00aa3000)
bash-3.2#

I've checked to make sure that SSL is not being disabled, it isn't.

Incorrect file permissions. Make sure the NRPE config file (nrpe.cfg) is readable by the user (i.e. nagios) that executes the NRPE binary from inetd/xinetd.

The permissions look okay:

Code:

bash-3.2# ps aux  | grep nrpe
nobody   10407  0.0  0.1   5340   724 ?        Ss   11:25   0:00 nrpe -c /etc/nrpe.cfg -d
bash-3.2# ls -lAsh /etc/nrpe.cfg 
12K -r--r--r-- 1 nobody root 6.5K Apr  9 12:32 /etc/nrpe.cfg
bash-3.2#

Pseudo-random device files are not readable. Greg Haygood noted the following... "After wringing my hair out and digging around with truss, I figured out the problem on my Solaris 8 boxen. The files /devices/pseudo/random* (linked through /dev/*random, and provided by Sun patch 11243 were not readable by the nagios user I use to launch NRPE. Making the character devices world-readable solved it."

/dev/random is 666

Unallowed address. If you're running the NRPE daemon under xinetd, make sure that you have a line in the xinetd config file that say "only_from = xxx.xxx.xxx.xxx", where xxx.xxx.xxx.xxx is the IP address that you're connected to the NRPE daemon from.

I'm running it from an init script, not xinetd, but the host is allowed. I've verified this with a telnet from the Nagios server.

The log server is RHEL 5.3 with all packages updated. Any suggestions would be greatly appreciated.


Thanks,
BC

[zephyrus360]

Hi Ben,

I am too stuck with the same problem and havent been able to make any headway.
I too have tried above steps but with no success. I am using Ubuntu.

Were u able to solve this problem??

Thanks

[zephyrus360]

Hi..

Finally, i was able to get my NRPE plugin working.

Actually, I was using a Vmware virtual machine as remote host on which I was running the NRPE daemon. And i was running the Nagios monitoring server from my main machine.

By default, Vmware had chosen NAT network connection for the remote host. With this setting I was able to ping the remote host from the monitoring server and even run nagio's check_tcp command successfuly. But check_nrpe would still throw the SSL handshake failed error from the monitoring server.

After trying all the known troubleshooting tips from internet over 2 days, I eventually tried changing the network adapter settings of my virtual machine in VMware Workstation. I set it to 'Bridged' and also selected the 'Replicate physical network connection state' option.
And the check_nrpe plugin worked from my monitoring server!