check_nrpe fails, SSL handshake error

Michael Tucker mtucker at airmail.net
Mon Dec 22 21:54:13 CET 2003
Previous message: check_nrpe fails, SSL handshake error
Next message: Mensagem automática
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Monday, December 22, 2003, at 02:42  PM, Steve Feehan wrote:
> Could you remind me what OS you're working with? If you
> haven't, I would strongly urge you to check that the PRNG
> is being seeded. This was a problem for me on IRIX 6.5.19
> and Tru64 5.1a. The solution with IRIX was to either upgrade
> to 6.5.22 or make a small hack to openssl.  The solution for
> Tru64 was to install and tell openssl to use an external
> prng source (such as egads or prngd).
>
> Steve
>

Sure, Steve; it's Solaris 9. Here's my original message:

>  * * *
>
> I'm trying to set up a simple nagios configuration for the first time.  
> I have a central server and a distributed server which should  
> communicate with each other using nsca/send_nsca. I have a host to be  
> monitored which should communicate with the distributed server using  
> nrpe/check_nrpe. This is all on Solaris 9 (SPARC), on both servers and  
> the host to be monitored.
>
> It's a "clean" install of Solaris 9 plus the current patch cluster,  
> plus the following packages downloaded from sunfreeware.com: freetype,  
> gcc, jpeg, libpng, mhash, zlib and openssl. I've downloaded and  
> compiled the following programs: gd, libmcrypt, mcrypt, nagios,  
> nagios-plugins, nrpe and nsca.
>
> Everything seemed to compile ok using gcc. The packages that depend on  
> ssl (or whatever) knew about them at compile time (at least, according  
> to the output from the ./configure scripts).
>
> On the host to be monitored, I've installed nrpe and a simple nrpe.cfg  
> file, and edited /etc/inetd.conf and /etc/services as follows:
>
> /etc/inetd.conf:
> nrpe	stream	tcp	nowait	nagios	/usr/sfw/sbin/tcpd	/usr/local/nagios/ 
> bin/nrpe -c /usr/local/nagios/bin/nrpe.cfg -i
>
> /etc/services:
> nrpe	5666/tcp	# NRPE (Nagios remote plugin executor)
>
> nrpe.cfg (default file, except for the following):
> command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
> command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c  
> 30,25,20
>
> On the distributed server, I've installed the check_nrpe plugin.
>
>  * * *
>
> Ok, here's the problem. When I try to run check_nrpe on the  
> distributed server, I get this error:
>
> # ./check_nrpe -H {IP of host to monitor} -c check_load
> CHECK_NRPE: Error - Could not complete SSL handshake.
>
>  * * *


As you can see, I haven't installed prng. I'm using the random number  
generator bundled with Solaris, and OpenSSL seemed content with that at  
compile time.

Just so we don't start an "I didn't read your last n-1 messages" loop  
with anyone else, here's the update I posted earlier today:

> More info on this:
>
> I recompiled nrpe with --disable-ssl (on both the monitoring server  
> and the host to monitor), and it works fine now. So, it's clearly a  
> problem with enabling SSL and nrpe.
>
> The error message I was seeing ("CHECK_NRPE: Error - Could not  
> compelte SSL Handshake.") is being generated by check_nrpe. It's in  
> the file check_nrpe.c, where it attempts to "do SSL handshake" and  
> fails.
>
> I am baffled as to why this is failing, or what I need to do to make  
> it work. Supposedly, nrpe is using the "anonymous DH" (ADH) protocol,  
> which operates sans certificates; so I would *think* that I don't need  
> to do anything with openssl (e.g. create a CA, or server or client  
> certificates, or anything like that). So, I'm pretty sure it's a  
> problem with how nrpe is implementing SSL, rather than a problem with  
> OpenSSL. But, at this point I'm stumped.
>
> Any help with this would be greatly appreciated.


Michael



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: check_nrpe fails, SSL handshake error
Next message: Mensagem automática
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list