[Nagios-users] Could not complete SSL handshake
Hi
I am using Nagios with NRPE to monitor my lab infrastructure and I am
facing this issue of SSL handshake failing with NRPE. The exact error as
displayed in syslog is:
Aug 18 04:15:23 nrpe[15581]: Error: Could not complete SSL handshake. 5
The following is displayed in /var/log/nrpe at the same time:
09/8/1...@04:15:39: START: nrpe pid=16259 from=10.201.214.90
09/8/1...@04:15:41: START: nrpe pid=16260 from=10.201.214.90
09/8/1...@04:15:46: START: nrpe pid=16274 from=10.201.214.90
09/8/1...@04:15:49: START: nrpe pid=16275 from=10.201.214.90
09/8/1...@04:15:56: START: nrpe pid=16276 from=10.201.214.90
09/8/1...@04:16:02: EXIT: nrpe status=0 pid=16128 duration=286(sec)
09/8/1...@04:16:02: EXIT: nrpe status=0 pid=16199 duration=156(sec)
09/8/1...@04:16:16: START: nrpe pid=16291 from=10.201.214.90
09/8/1...@04:16:25: EXIT: nrpe status=0 pid=16176 duration=220(sec)
09/8/1...@04:16:26: START: nrpe pid=16292 from=10.201.214.90
09/8/1...@04:16:34: EXIT: nrpe status=0 pid=16260 duration=53(sec)
09/8/1...@04:16:36: EXIT: nrpe status=0 pid=16229 duration=125(sec)
09/8/1...@04:16:51: EXIT: nrpe status=0 pid=16194 duration=215(sec)
09/8/1...@04:17:07: START: nrpe pid=16307 from=10.201.214.90
09/8/1...@04:17:17: START: nrpe pid=16308 from=10.201.214.90
09/8/1...@04:17:21: EXIT: nrpe status=0 pid=16275 duration=92(sec)
09/8/1...@04:17:35: EXIT: nrpe status=0 pid=16274 duration=109(sec)
09/8/1...@04:17:46: EXIT: nrpe status=0 pid=16291 duration=90(sec)
09/8/1...@04:17:46: EXIT: nrpe status=0 pid=16292 duration=80(sec)
What does the above error mean?
Does it have anything to do with network issues?
Why is the duration high at this time for a few requests while normally
it is less than 5 sec?
I am running nrpe as a service under xinetd with the following
configuration: ( /etc/xinetd.d/nrpe )
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port= 5666
wait= no
user= nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_type= FILE /var/log/nrpe
log_on_failure += USERID ATTEMPT
disable = no
only_from = 10.201.214.90
per_source = UNLIMITED
cps = 50 30
}
Thanks,
Shashank.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Could not complete SSL handshake
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/09 12:34 PM, Lee Azzarello wrote: Here's a mystery for the books. I was alerted this morning of a socket timeout while nagios attempted to connect the NRPE server on a remote host. I go in and manually check that host and sure enough: - From my personal experience NRPE often fail on the SSL handshake under load - since it happen on the SSL part the connection is already open (therefore you can telnet to the port without any problem). I never really looked into issue because none of my servers runs hot - When I get NRPE timeouts there's usually other stuff that's sending alerts already (at least the load average check running trough SNMP). Things you may try: - - Lower the nice value of the NRPE process - - Disable SSL - - When compiling NRPE, in include/common.h, increase the socket timeout: #define DEFAULT_SOCKET_TIMEOUT10/* timeout after 10 seconds */ - - Increase the check_nrpe and/or nagios active check timeouts. - -- Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJlu+e6dZ+Kt5BchYRAq6nAJ0boUmZyySZ7adQ8tBNtMhrcZQpogCgnbSu Mt/FbvA8GfzdMFig56KwBx0= =MQtG -END PGP SIGNATURE- -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] Could not complete SSL handshake
Here's a mystery for the books. I was alerted this morning of a socket timeout while nagios attempted to connect the NRPE server on a remote host. I go in and manually check that host and sure enough: Feb 12 16:02:59 conversion-10 nrpe[6886]: Error: Could not complete SSL handshake. 5 Feb 12 16:36:03 conversion-10 nrpe[7270]: Error: Could not complete SSL handshake. 5 Weird, but sort of understandable. Just to make sure it's down, from the host where Nagios is running: control-1:~# telnet conversion-10.internal 5666 Trying 10.254.163.50... Connected to conversion-10.internal. Escape character is '^]'. Huh? I can connect via telnet. NRPE is not down. Then I visually check other services on the remote host though the web interface, two of which are also a NRPE service check. They are not generating the SSL handshake error, no socket timeout, status OK, same host. Wacky. Well, last thing to try is to execute the NRPE check manually from the host where Nagios is running: control-1:~# /usr/lib/nagios/plugins/check_nrpe -H conversion-10.internal -c check_tmpdir_links check_tmpdir_links OK - result:2823 |links$=2823 Woah, dude!? Uhhh, why is this singular service check telling me it's having a socket timeout ONLY when run from Nagios but not from an interactive shell? I give up... 2 hours pass, then I am alerted of the following event: [1234458138] SERVICE ALERT: conversion-10;tmpdir-links;OK;HARD;1;check_tmpdir_links OK - result:2846 WTF? It fixed itself? Scary. The only trend I can make of this is that the timed out service is infrequent. I configured it to be checked every 30 minutes, while the others are far more frequent, checking every 5 minutes. Maybe I just got unlucky and hit some high network latency? I don't know. -lee -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Could not complete ssl handshake
Harry,
There are afew thing you can check that cause this problem.
1. Check versions of the nrpe on both the server and the client
2. Did you install check_nrpe from source or rpm? You might want to
check if one is compiled with ssl support and the other isn't compiled for
SSL support (I had that problem, server was compiled for SSL and listening
for SSL connections, client wasn't)
3. I know with RHEL (what we use here) you have to set up the SELinux
permissions to allow the port through, along with editing the
/etc/xinetd.d/nrpe file and send a hup to xinetd so it can talk to the
server/client. Here's a copy of my xinetd file in /etc/xinetd.d/
a. # default: on
b. # description: NRPE (Nagios Remote Plugin Executor)
c. service nrpe
d. {
e. flags = REUSE
f.socket_type = stream
g. port= 5666
h. wait= no
i. user= nagios
j.group = nagios
k. server = /usr/local/nagios/bin/nrpe
l. server_args = -c /usr/local/nagios/etc/nrpe.cfg
--inetd
m.log_on_failure += USERID
n. disable = no
o. only_from = NAGIOS.SERVER.IP.ADDRESS
p. }
4. Try running a higher debug on the server and manually run
check_nrpe from the server to the client, check logs.
Hope this helps!
~Jayson Broughton
From: Hart, Harry M. CTR USJFCOM JTCI [mailto:harry.hart@jfcom.mil]
Sent: Thursday, January 08, 2009 4:37 AM
To: Nagios Users Mailinglist
Subject: [Nagios-users] Could not complete ssl handshake
I know I've seen this error on this forum before but can not remember what
resolved the problem. I installed NRPE on a Linux system to talk to another
Linux machine that is the Nagios server. I do the check_nrpe and get Could
not complete SSL handshake. It works fine when I do it from the server to
the remote system.
Thanks for any help on this one.
Harry
Harry M. Hart Systems integrator
SAIC
USJFCOM JIOC DCGS-A
(757) 203-7422
DSN 668-7422
harry.h...@intel.jwfc.jfcom.smil.mil
harry.h...@jwfc.ic.gov
The information in this electronic mail message and any attached files is
confidential and may be legally privileged. If you are not the intended
recipient, delete this message and contact the sender immediately. Access to
this message by anyone other than its intended recipient is unauthorized. You
must not use or disseminate this information as it is proprietary property of
the True companies. Communications on or through the True companies' computer
systems may be monitored or recorded to secure effective system operation and
for other lawful purposes. Thank you.--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB___
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Could not complete ssl handshake
Hi Harry, I know I've seen this error on this forum before but can not remember what resolved the problem. I installed NRPE on a Linux system to talk to another Linux machine that is the Nagios server. I do the check_nrpe and get Could not complete SSL handshake. It works fine when I do it from the server to the remote system. are both nrpe installations of the same version? I've got this problem when both versions (of check_nrpe on one system and nrpe on the remote server) were different. HTH, cu l8r, Edgar. -- |\ /| :: Addr: Valid Eindhoven B.V. / | \/ | : Edgar R. Matzinger : t.a.v. E.R. Matzinger / || :: Paradijslaan 36 \ /| /\| :: 5611 KN Eindhoven \/ / \ : Valid Eindhoven BV : \ /\ / :: \/ |\/ :: |:: Disclaimer: Any comments, opinions made are mine, etc ... -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] Could not complete ssl handshake
I know I've seen this error on this forum before but can not remember what resolved the problem. I installed NRPE on a Linux system to talk to another Linux machine that is the Nagios server. I do the check_nrpe and get Could not complete SSL handshake. It works fine when I do it from the server to the remote system. Thanks for any help on this one. Harry Harry M. Hart Systems integrator SAIC USJFCOM JIOC DCGS-A (757) 203-7422 DSN 668-7422 harry.h...@intel.jwfc.jfcom.smil.mil harry.h...@jwfc.ic.gov smime.p7s Description: S/MIME cryptographic signature -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Could not complete ssl handshake
Am Donnerstag, den 08.01.2009, 06:36 -0500 schrieb Hart, Harry M. CTR USJFCOM JTCI: I know I've seen this error on this forum before but can not remember what resolved the problem. I installed NRPE on a Linux system to talk to another Linux machine that is the Nagios server. I do the check_nrpe and get Could not complete SSL handshake. It works fine when I do it from the server to the remote system. This error also occures when the nagios server (the host nrpe is called) is not allowed to talk to the nrpe-daemon. Have a look at allowed_hosts in nrpe.cfg when nrpe runs as a daemon or at the (x)inetd config as nrpe is run like that. Regards Sebastian Ries -- DT Netsolution GmbH - Talaeckerstr. 30 - D-70437 Stuttgart Tel: +49-711-849910-36 Fax: +49-711-849910-936 WEB: http://www.dtnet.de/ email: sebastian.r...@dtnet.de -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
