[BUG] check_nrpe fails, SSL handshake error SOLVED

Michael Tucker mtucker at airmail.net
Mon Jan 19 19:49:50 CET 2004

Previous message: AW: [BUG] check_nrpe fails, SSL handshake error
Next message: [BUG] check_nrpe fails, SSL handshake error SOLVED
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, January 7, 2004, at 02:45  PM, Michael Tucker wrote:

> Ethan, to bring you up to speed: there appears to be a bug in 
> check_nrpe/nrpe, something to do with its implementation of OpenSSL. I 
> apologize for the length of this message; it might be easier for you 
> to follow if you go back and follow the thread from the beginning. But 
> there's quite a bit of information here. Hopefully some of it will 
> prove helpful to you.
>
> Here's the short form of the problem:
>> check_nrpe -> nrpe fails if SSL is enabled, and returns the message:
>>> # ./check_nrpe -H {host to monitor} -c check_load
>>> CHECK_NRPE: Error - Could not complete SSL handshake.
>>
>> If SSL is disabled (recompile with --disable-ssl), it works just fine.
>
> Michael
>
> [lengthy details snipped]

I have SOLVED this problem, at least for my Solaris installation.

It turns out that you need the SSL libraries in your system default 
runtime link path. This seems obvious in retrospect, but nobody else 
thought of it either, so I don't feel too bad. :-P

In Solaris, you can check (and fix) this with the crle command 
("configure runtime linking environment"):

> # crle

This will display the current default library path, and configuration 
file (if any). On new installs of Solaris, there's no configuration 
file, and the path is just /usr/lib. You'll need to change this to 
include /usr/local/lib and /usr/local/ssl/lib:

> # crle -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib
> # crle
>
> Configuration file [3]: /var/ld/ld.config
>   Default Library Path (ELF):   
> /usr/lib:/usr/local/lib:/usr/local/ssl/lib
>   Trusted Directories (ELF):    /usr/lib/secure  (system default)
>
> Command line:
>   crle -c /var/ld/ld.config -l 
> /usr/lib:/usr/local/lib:/usr/local/ssl/lib

Without making any other modifications to the nrpe configuration (or to 
/etc/inetd.conf or /etc/services, which are already configured to run 
nrpe under inetd with tcp wrappers), I made the above change on both 
the monitoring server and the monitored host. Then I copied my 
already-compiled nrpe and check_nrpe (with SSL enabled) to their 
respective runtime directories. Voila! It works. :-)

*doing the happy Snoopy dance* :-)

Yours,
Mcihael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2322 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20040119/69e50d11/attachment.bin>

Previous message: AW: [BUG] check_nrpe fails, SSL handshake error
Next message: [BUG] check_nrpe fails, SSL handshake error SOLVED
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list