i have the same Error, but it can not be fixed by the allowed_hosts entry!
This is (on my side) IMO also an TLS/SSL issue.
I have to use the Option '-n' to disable SSL/TLS on the UCS Nagios Server, and this works only, when i disable SSL/TLS on the NRPE Client also with the Option '-n'.
Enabling the SSL/TLS Option on the Client and dropping '-n' doesn't work.
Problem: The automatic NRPE command sent from UCS NAgios doesn't have this '-n' Option, so it fails everytime. How could i Change this, or how to enable TLS/SSL on the UCS Nagios also?
What changed on my side?
The NRPE Client Server was updated from latest Jessie to Stretch. )
That was all, with Jessie it worked perfect (without SSL/TLS!) with the UCS Nagios Server, now with Stretch, i get the error and the '-n' Problem.
root@ucs:~# /usr/lib/nagios/plugins/check_nrpe -H 192.168.2.5 -c check_disk_var
CHECK_NRPE: Error - Could not complete SSL handshake.
root@ucs:~# /usr/lib/nagios/plugins/check_nrpe -H 192.168.2.5 -n -c check_disk_var
DISK OK - free space: / 4116 MB (48% inode=89%);| /=4350MB;6707;8048;0;8943
On the Client without SSL/TLS:
Jun 23 15:35:52 corsair nrpe: Connection from 192.168.2.6 port 726
Jun 23 15:35:52 corsair nrpe: Error: Request packet version was invalid!
Jun 23 15:35:52 corsair nrpe: Could not read request from client 192.168.2.6, bailing out...
On the Client with SSL/TLS:
Jun 23 15:40:58 corsair nrpe: Connection from 192.168.2.6 port 27350
Jun 23 15:40:58 corsair nrpe: Error: Could not complete SSL handshake with 192.168.2.6: 1
For SSL/TLS, i copied the Client certificates and the CAcert from UCS to the Client and configured these in NRPE.