1

I am getting this check_nrpe ssl couldnt complete handshake error in master server when I try executing the below command. 

/usr/local/nagios/libexec/check_nrpe -H 10.192.122.234
10.192.122.234 --> nagios client machine

but when I use 

/usr/local/nagios/libexec/check_nrpe -H localhost

it gives the proper result that is the nrpe version even instead of localhost if I use Master server IP it gives me the nrpe version as result.

When I execute the same command from nagios client machine, it again gives me the nrpe version. The Master server IP is there in nrpe.cfg file. For information both master ip and client ip are configured with eth1.

So where is the issue and why my master server couldn't run up this command on client machines?

Nishanth
  • 83
  • 3
  • 8

2 Answers2

1

When you get this error

CHECK_NRPE: Error - Could not complete SSL handshake.

it means that nrpe server is not configured to allow this request.

You need to allow the requester IP address from nrpe configuration file /etc/nagios/nrpe.cfg. You should include the IP the line:

allowed_hosts=127.0.0.1,your.ip.goes.here

Don't forget to reload/restart nrpe server after changing the configuration.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • The master server IP is already there in nrpe.cfg file. – Nishanth Jun 25 '15 at 13:31
  • You may have configured the wrong IP? Examples include server with multiple IP addresses and/or it reaches the client with a different NATed IP. – Khaled Jun 25 '15 at 13:34
  • i have checked it and they are perfect, if this is wrong probably my client should not be able to run the same command on master server and get the NRPE version. But as mentioned both the master server and client server IP are with eth1 will this is be blocking one at any cause? – Nishanth Jun 25 '15 at 13:41
0

Basically, there's no need to run check_nrpe from a Nagios client because there's no reason for it to be installed on a Nagios client machine in the first place.

The check_nrpe plugin should always be running from the Nagios server.

In addition to Khaled's answer, I would also check if NRPE is configured as a stand-alone daemon or configured to be started by Xinetd.

If it's configured to run through xinetd (you can check if there's a file called nrpe under /etc/xientd.d), it will look like so:

service nrpe
{
        flags           = REUSE
        type            = UNLISTED
        port            = 5666
        socket_type     = stream
        wait            = no
        user            = nagios
        group           = nagios
        server          = /usr/sbin/nrpe
        server_args     = -c /etc/nagios/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable         = no
        only_from       = 127.0.0.1 nagios01.company.com 10.X.X.30
}

Make sure to include your Nagios server IP or hostname in the "only_from" line and make sure the values are separated by spaces rather than commas as in the /etc/nrpe/nrpe.cfg file.

Another thing I would check is that the Nagios server is able to telnet the Nagios client on the NRPE port.

The default port is 5666, so you should run from your Nagios server the following command:

telnet nagios_server 5666

The output should look like so:

[root@nagios01 ~]# telnet do01.company.com 5666
Trying 10.X.X.30...
Connected to do01.company.com.
Escape character is '^]'.

If you're unable to telnet from the Nagios server to the Nagios client I would start looking there.

There's an official document which I always use when trouble-shooting NRPE related issue, check it out: Nagios Official Documentation

Itai Ganot
  • 10,644
  • 29
  • 93
  • 146
  • Thank you for your detailed answer, as per the suggestion i will configure nrpe on xinetd. But when you say nrpe installation is not required on client machine can you please let me know what else will be needed on client machine? In our set-up we use nagios-plugin other than nrpe in client machine, is it enough to communicate the status to master. And with telnet on 5666(nrpe),22(ssh),443(ssl) all these works fine from master to client :) – Nishanth Jun 26 '15 at 05:14
  • I meant that running check_nrpe should usually take place from the master... If you configure nrpe to work under xinetd then don't forget to 'service nrpe stop' and 'service xinetd restart'. Did you check the document at the bottom of my answer? – Itai Ganot Jun 26 '15 at 06:30
  • yes i have went through it and no addressed inputs helped me to come out of this. The same configuration which we followed on different environments don't have issues... – Nishanth Jun 26 '15 at 10:01