Nagios Could not complete SSL handshake

Roman · March 29, 2017, 1:25pm

Hi.
My nagios server name is nagios.domain.com
On each UCS server I set UCR variable nagios/allowedhost to nagios

I get email errors with “Problem Service alert” and in body of email I have error

CHECK_NRPE: Error - Could not complete SSL handshake.

Please help.

ahrnke · March 29, 2017, 2:06pm

Hi,

I guess you need to set another UCRV:

nagios/client/allowedhosts: <empty>
 This variable limits the hosts which can access the NRPE service. The hosts need to be specified through their hostname or with an IP address. If the variable is unset, the master domain controller is used. Multiple entries need to be separated by commas.

Best Regards,
Dirk

Roman · March 29, 2017, 2:09pm

sorry that is what I did
I changed the variable to “nagios.domain.com” but did not help still. I guess will try and go ahead and put the IP instead and see what happens.

Roman · March 29, 2017, 2:25pm

I have tried just hostname, full hostname (nagios.domain.com) and IP but still get same " CHECK_NRPE: Error - Could not complete SSL handshake."

ahrnke · March 29, 2017, 3:11pm

I tested on a machine where univention-nagios-client and its dependencies are installed. In /etc/nagios/nrpe.cfg is an option “debug” which can be enabled as described.
The in /var/log/syslog I got:

Mar 29 17:08:39 host nrpe[29029]: Starting up daemon
Mar 29 17:08:39 host nrpe[29029]: Listening for connections on port 5666
Mar 29 17:08:39 host nrpe[29029]: Allowing connections from: 172.35.55.2
Mar 29 17:08:43 host nrpe[29048]: Host 172.35.55.4 is not allowed to talk to us!

The last line appeared as I ran check_nrpe -H ip_of_my_client on 172.35.55.4

Roman · March 29, 2017, 3:14pm

check_nrpe command is not found, and how can I install “univention-nagios-client” on client computers? apt-get does not find them.

ahrnke · March 29, 2017, 3:31pm

On UCS /usr/lib/nagios/plugins/check_nrpe is provided by “nagios-nrpe-plugin”. The path may differ on a Non-UCS Nagios-server.

the Nagios client appears to be part of the default repositories:

root@ucs:~# apt-cache policy univention-nagios-client
univention-nagios-client:
  Installed: 9.0.1-1.273.201511040008
  Candidate: 9.0.1-1.273.201511040008
  Version table:
 *** 9.0.1-1.273.201511040008 0
        500 https://updates.software-univention.de/4.1/maintained/ 4.1-0/amd64/ Packages
        100 /var/lib/dpkg/status
     8.0.0-5.272.201506251544 0
        500 https://updates.software-univention.de/4.0/maintained/ 4.0-3/amd64/ Packages
     8.0.0-4.271.201410291318 0
        500 https://updates.software-univention.de/4.0/maintained/ 4.0-0/amd64/ Packages

Using apt-get may work, but the recommended method is “univention-install”

Roman · March 29, 2017, 4:44pm

I can confirm the same. From my UCS Nagios PC I ran to IP of target server:

/usr/lib/nagios/plugins$ sudo ./check_nrpe -H 192.168.1.1
CHECK_NRPE: Error - Could not complete SSL handshake.

ahrnke · March 29, 2017, 6:34pm

The error “CHECK_NRPE: Error - Could not complete SSL handshake.” is usually caused by a mssing or wrong “allowed_hosts” configuration in /etc/nagios/nrpe.cfg.
With an active debug option in the same config-file the active “allowed_hosts” setting is reported to the syslog (see log snippet above).
The UCRV “nagios/client/allowedhosts” will affect the nrpe.cfg if the package univention-nagios-client is installed.

Roman · March 30, 2017, 8:07am

Thank you for the hint. I checked /etc/nagios/nrpe.cfg and it has IP entry for my nagios monitoring server.

What I did was restart nagios-nrpe-server service (service nagios-nrpe-server restart) and this resolved the issue.

I would suggest that this is added somewhere in documentation or maybe automate it if possible once UCR variable (nagios/client/allowedhosts) is changed.

neobiker · June 23, 2017, 1:33pm

Hi,
i have the same Error, but it can not be fixed by the allowed_hosts entry!
This is (on my side) IMO also an TLS/SSL issue.

I have to use the Option ‘-n’ to disable SSL/TLS on the UCS Nagios Server, and this works only, when i disable SSL/TLS on the NRPE Client also with the Option ‘-n’.
Enabling the SSL/TLS Option on the Client and dropping ‘-n’ doesn’t work.

Problem: The automatic NRPE command sent from UCS NAgios doesn’t have this ‘-n’ Option, so it fails everytime. How could i Change this, or how to enable TLS/SSL on the UCS Nagios also?

What changed on my side?
The NRPE Client Server was updated from latest Jessie to Stretch. ;-))
That was all, with Jessie it worked perfect (without SSL/TLS!) with the UCS Nagios Server, now with Stretch, i get the error and the ‘-n’ Problem.

root@ucs:~# /usr/lib/nagios/plugins/check_nrpe -H 192.168.2.5 -c check_disk_var
CHECK_NRPE: Error - Could not complete SSL handshake.
root@ucs:~# /usr/lib/nagios/plugins/check_nrpe -H 192.168.2.5 -n -c check_disk_var
DISK OK - free space: / 4116 MB (48% inode=89%);| /=4350MB;6707;8048;0;8943

On the Client without SSL/TLS:

Jun 23 15:35:52 corsair nrpe[2902]: Connection from 192.168.2.6 port 726
Jun 23 15:35:52 corsair nrpe[2902]: Error: Request packet version was invalid!
Jun 23 15:35:52 corsair nrpe[2902]: Could not read request from client 192.168.2.6, bailing out...

On the Client with SSL/TLS:

Jun 23 15:40:58 corsair nrpe[3022]: Connection from 192.168.2.6 port 27350
Jun 23 15:40:58 corsair nrpe[3022]: Error: Could not complete SSL handshake with 192.168.2.6: 1

For SSL/TLS, i copied the Client certificates and the CAcert from UCS to the Client and configured these in NRPE.

ahrnke · June 26, 2017, 8:46am

@neobiker: There is an article from last week about Debian 9 Stretch and Nagios NRPE (command args and SSL compatibility) which might shed light on this behaviour.

neobiker · June 29, 2017, 7:34pm

Yes, but i don’t know how to tell UCS to use Option ‘-n’ towards the Stretch Server.

thorp-hansen · July 3, 2017, 8:14am

I think that is not possible currently - I would recommend to not install debian packages. You could open an issue at forge.univention.de