[Error]: Error - Could not complete SSL handshake. ON LOCALHOST

nagios nrpe
Carson McNeil picture Carson McNeil · Nov 2, 2016 · Viewed 7k times · Source

All of the questions about this error show people running check_nrpe -H [some_remote_ip], in contrast to an error-free run on localhost.

I, however, can't even get this to run on localhost:

$> ./check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.

The service does appear to be up and running:

$> sudo netstat -apn | grep :5666
tcp        0      0 0.0.0.0:5666            0.0.0.0:*        LISTEN      5847/nrpe
tcp6       0      0 :::5666                 :::*             LISTEN      10216/nrpe

And the daemon returns no errors

$> sudo service nagios-nrpe-server status
* nagios-nrpe is running

My nrpe.cfg file has allowed_hosts set correctly:

allowed_hosts=127.0.0.1,10.0.1.2,0.0.0.0

Contents of /var/log/syslog with debugging turned on:

Nov  1 22:54:44 <MYHOST> nrpe[11156]: Connection from ::1 port 6601
Nov  1 22:54:44 <MYHOST> nrpe[11156]: Host ::1 is not allowed to talk to us!
Nov  1 22:54:44 <MYHOST> nrpe[11156]: Connection from ::1 closed.

Does anyone have any idea what's going on, this seems almost nonsensical. Thanks!

Answer

Jim Black picture Jim Black · Nov 3, 2016

Note that my example may be different than yours.

First change to the folder having your nrpe command and run:

./nrpe --version

The output from that command will look something like this:

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad ([email protected])
Version: nrpe-3.0
Last Modified: 07-12-2016
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available, OpenSSL 0.9.6 or higher required

Notice that the last line tells you that SSL is indeed supported by this build of NRPE. If it is not there, then you'll have to install a version that was compiled with SSL support (which may mean compiling one of for yourself, depending on where you got it). The docs for the source code are pretty clear on how this is done.

If you DO have the SSL line above, look at the required version on the line and check your system to be sure that at least that version has been installed. I used this command:

rpm -qa | grep openssl

And received output looking like this:

libopenssl1_0_0-32bit-1.0.1k-2.39.1.x86_64
openssl-1.0.1k-2.39.1.x86_64

Both openssl and libopenssl are required for NRPEs SSL support to function correctly. I strongly recommend that if these are not installed, to use your systems package installer (aptget, yum, zypper, ...) to fetch and install them. If these are already installed, but you still have errors, then you will likely have a configuration issue in:

/etc/ssl/openssl.cnf

Fixing that is well outside of the scope/space available here. I recommend to upgrade both of these via a working, on-line package - these packages always include a default configuration which should work fine with NRPE - assuming the version is equal to or higher than required.

Related questions

CHECK_NRPE: Error - Could not complete SSL handshake

I have NRPE daemon process running under xinetd on amazon ec2 instance and nagios server on my local machine. The check_nrpe -H [amazon public IP] gives this error: CHECK_NRPE: Error - Could not complete SSL handshake. Both Nrpe …

Read More
Nagios NRPE: Command not defined

In my nrpe_local.cfg added following command: command[check_mycommand]=/usr/lib/nagios/plugins/check_command 30 35 and then restarted nrpe daemon. When I execute this command using nrpe I'm getting the following error: NRPE: Command 'check_mycommand' not defined …

Read More
cannot find ssl libraries?

I am trying to install nrpe plugin on ubuntu 12.04, however I am facing issue with ssl libraries. I tried installing "libcurl3-openssl-dev" package, however when I try to compile nrpe plugin after installing this package I am facing issue saying "…

Read More