LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 10-30-2009, 04:34 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Rep: Reputation: 33
Nagios: CHECK_NRPE: Error - Could not complete SSL handshake


Need some help with NRPE-config for Nagios.

The NRPE-plugin is running as a xinetd-service.

Firewall on Nagios Monitoring server is down.
Firewall on remote client is running, TCP-port 5666 is open.

I'm getting the following error :
Code:
[root@nagios nrpe-2.12]# /usr/local/nagios/libexec/check_nrpe -H remote_ip
CHECK_NRPE: Error - Could not complete SSL handshake.
./configure show that the ssl-libraries are found :
Code:
checking for type of socket size... size_t
checking for SSL headers... SSL headers found in /usr
checking for SSL libraries... SSL libraries found in /usr/lib

*** Generating DH Parameters for SSL/TLS ***
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
......+..............+..............+........+.................................................................................................+........................+......+..........+.+.......................+..........................++*++*++*++*++*++*
checking for Kerberos include files... could not find include files
checking for perl... /usr/bin/perl
configure: creating ./config.status
config.status: creating Makefile
openssl package is installed :
Code:
Package openssl - 0.9.8e-12.el5.i686 is already installed.
Package openssl-devel - 0.9.8e-12.el5.i386 is already installed.
NRPE-config on remote client :
Code:
bash-3.2# cat /etc/xinetd.d/nrpe 
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
       	flags           = REUSE
        socket_type     = stream    
	port		= 5666    
       	wait            = no
        user            = nagios
	group		= nagios
       	server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
       	log_on_failure  += USERID
        disable         = no
	only_from       = 127.0.0.1 hostname_nagiosserver
}
Code:
bash-3.2# netstat -at | grep nrpe
tcp        0      0 *:nrpe                      *:*                         LISTEN
NRPE-config on Nagiosserver :
Code:
[root@nagios nrpe-2.12]# cat /etc/xinetd.d/nrpe
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
       	flags           = REUSE
        socket_type     = stream    
	port		= 5666    
       	wait            = no
        user            = nagios
	group		= nagios
       	server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
       	log_on_failure  += USERID
        disable         = no
	only_from       = 127.0.0.1
}
Code:
[root@nagios nrpe-2.12]#  netstat -at | grep nrpe
tcp        0      0 *:nrpe                      *:*                         LISTEN
What am I missing here ??
 
Old 10-30-2009, 10:05 AM   #2
hackdna
LQ Newbie
 
Registered: Oct 2009
Posts: 1

Rep: Reputation: 0
Make sure you have Kerberos header files available on this system (for example, by installing krb5-devel package).
Rerun configure.
If it still can't find Kerberos headers, specify their location with a command-line switch (for example, ./configure --with-kerberos-inc=/usr/include).
 
Old 10-30-2009, 03:07 PM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
I have it working by changing something in the nrpe-file of Xinetd :

Code:
service nrpe
{
       	flags           = REUSE
        socket_type     = stream    
	port		= 5666    
       	wait            = no
        user            = nagios
	group		= nagios
       	server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
       	log_on_failure  += USERID
        disable         = no
	only_from       = 127.0.0.1 ipaddress_nagiosserver
}
Apparently you may not use hostnames in the "only_from"-tag.
I have defined the IP-address of my Nagios-server and now it works...

But if tomorrow the dynamic IP-address changes... I need to manually change the IP-address in the above file...
Looking for a solution to this...
 
Old 10-30-2009, 03:28 PM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hi,

You could put the current IP that's assigned to the Nagios server as static or if you have access to the DHCP server make a reservation for the Nagios server so that it always has the same IP.

Kind regards,

Eric
 
Old 10-30-2009, 03:41 PM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 623

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by EricTRA View Post
Hi,

You could put the current IP that's assigned to the Nagios server as static or if you have access to the DHCP server make a reservation for the Nagios server so that it always has the same IP.

Kind regards,

Eric
The Nagios Monitoring server is settled @ my home. I have a broadband connection with dynamic IP-address.

The server that needs monitoring is an Asterisk-server that has a fixed public IP-address.

The only solution that I see is to create an OpenVPN-connection between my Nagios-server@home and the public Asterisk-server.
This way my Nagios-server will always have the IP-address 10.0.8.1 or something like that...

Does this sound right ??

Should the nagios-user on the Asterisk-server create the openVPN to the Nagios-server ??
 
Old 10-30-2009, 03:54 PM   #6
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hello,

That's an option you could consider and in my opinion would work perfectly if set up right. Logically I'd say that the nagios user should set up the VPN tunnel since that user is executing the command requests to the Asterisk server. Just try it out with the nagios user to maintain the security. Hope it works, looking forward to your postings regarding this issue.

Kind regards,

Eric
 
Old 08-22-2014, 05:04 AM   #7
alberto.alonso
LQ Newbie
 
Registered: Aug 2014
Posts: 4

Rep: Reputation: Disabled
Hello

Im having the same problem that was described in this post. I'm pretty new at Nagios and I'm having a problem when installing the NRPE plugin in Centos.

Was it solved? I didn't see any post saying that Jonaskellens managed to do it (maybe I'm wrong).

Here is my problem in case someone hopefully knows how to deal with it:


I have a monitoring server (its hostname is wizzo-int-monitoring0) where I have installed:
- Nagios-4.0.7 <--- it works fine, as I am seeing the remote host
- Nagios-plugins-2.0.3
- NRPE-2.15


In the remote server (its hostname is wizzo-int-read3), I have installed:
- sudo yum -y install openssl-devel gcc xinetd make
- Nagios-plugins-2.0.3
- NRPE-2.15

Moreover, in the remote server, I have made some changes in the following files:

- In /etc/xinetd.d/nrpe I have added only_from = 127.0.0.1 wizzo-int-monitoring0
- In /etc/services I have added the line: nrpe 5666/tcp # NRPE
- In /etc/hosts.allow I have added the line: nrpe: 127.0.0.1 wizzo-int-monitoring0

I have also modified the iptables:
- sudo iptables -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
- sudo service iptables save

In the remote server, If i type /usr/local/nagios/libexec/check_nrpe -H localhost
I get NRPE v2.15 <---- what it's correct

But If I type in the monitoring server /usr/local/nagios/libexec/check_nrpe -H wizzo-int-read3
I get CHECK_NRPE: Error - Could not complete SSL handshake.


If I modify the etc/xinetd.d/nrpe and change wizzo-int-monitoring0 by its IP address, it works. But I need to use the hostname, as it can change.

What am i doing wrong?
What do i have to do to be able to use hostnames in the /etc/xinetd.d/nrpe file?
I am getting crazy and I dont know what else to do.

Thanks a lot in advance
 
Old 08-22-2014, 09:24 AM   #8
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Rep: Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791Reputation: 791
It may be an issue with reverse lookup. From the xinetd.conf man page section that talks about the "only_from" specification is says in part:

Quote:
d) a host name.
When a connection is made to xinetd, a reverse lookup is performed, and the canonical name returned is compared to the specified host name. You may also use domain names in the form of .domain.com. If the reverse lookup of the client’s IP is within .domain.com, a match occurs.
So do a "dig <hostname>" for your remote host from the NRPE host and see what you get as IP. Then do a "dig -x <IP Address>" for the IP you saw in the first dig. If it does NOT match the name you are using in only_from then it fails.

The above of course implies you'd have to use the FQDN for hostname (e.g. NOT just wizzo-int-monitoring0 but wizzo-int-monitoring0.yourdomain.com). Even then the reverse IP must give that same FQDN.
 
Old 08-23-2014, 02:56 PM   #9
alberto.alonso
LQ Newbie
 
Registered: Aug 2014
Posts: 4

Rep: Reputation: Disabled
Thanks MensaWater

Im going to test what you have commented and will tell you if it works.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAGIOS: NRPE error : Could not complete SSL handshake TrotskyIcepick Linux - Newbie 3 11-02-2009 04:25 PM
Nagios Error-SSL handshaking Problem. nishith Linux - Software 1 07-03-2009 05:47 AM
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Carpo Slackware 1 07-10-2007 09:46 AM
could not complete SSL handshake - nagios kiruthika Linux - Software 2 07-10-2007 01:22 AM


All times are GMT -5. The time now is 11:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration