Problems with check_nrpe+SSL, and I have read the FAQ

Eivind Olsen eivind at aminor.no
Mon Oct 17 14:14:25 CEST 2005

Previous message: Relation between freshness_threshold and timeperiods
Next message: Problems with check_nrpe+SSL, and I have read the FAQ
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

I'm trying to set up check_nrpe 2.0 to use SSL, but I can't get it to 
work. The nagios-server (192.168.1.4) is running Solaris 10, the other 
machine 192.168.1.2 is running Solaris 8. The nrpe-daemon is run from 
the command line in daemon-mode (-d option), not from inetd.
I'm currently doing all testing from the command line. Here's what I do 
on the nagios-server:

First, I test with normal check_nrpe and then check_nrpe_ssl (configured 
with --enable-ssl) against the SSL-enabled nrpe on 192.168.1.2, and 
finally I do a telnet on the port just to see that I have network 
connectivity and can get through:

bash-3.00# ./check_nrpe -H 192.168.1.2 -p 5666 -c check_load
CHECK_NRPE: Received 0 bytes from daemon.  Check the remote server logs 
for error messages.
bash-3.00# ./check_nrpe_ssl -H 192.168.1.2 -p 5666 -c check_load
CHECK_NRPE: Error - Could not complete SSL handshake.
bash-3.00# telnet 192.168.1.2 5666
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
^]
telnet> q
Connection to 192.168.1.2 closed.

When I look in the syslog on 192.168.1.2 I see the famous "Error: Could 
not complete SSL handshake."-message.

Then, I kill the SSL-enabled nrpe-daemon on 192.168.1.2 and start the 
SSL-disabled nrpe-daemon and do the same tests, we can now see that 
check_nrpe works as expected:

bash-3.00# ./check_nrpe -H 192.168.1.2 -p 5666 -c check_load
WARNING - load average: 5.35, 5.58, 6.14|load1=5.348;15.000;30.000;0; 
load5=5.582;10.000;25.000;0; load15=6.141;5.000;20.000;0;
bash-3.00# ./check_nrpe_ssl -H 192.168.1.2 -p 5666 -c check_load
CHECK_NRPE: Socket timeout after 10 seconds.
bash-3.00# telnet 192.168.1.2 5666
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
^]
telnet> q
Connection to 192.168.1.2 closed.


I've looked at the Nagios FAQ and can't find anything wrong there. 
FAQ-entry 191 mentions:

* Different versions: both the SSL and non-SSL versions of both 
check_nrpe/check_nrpe_ssl and nrpe/nrpe_ssl show:
Version: 2.0
Last Modified: 09-08-2003

* SSL is disabled: Both the check_nrpe_ssl and nrpe_ssl commands have 
the following in their output when I run them:
"SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required"
I don't think I've managed to disable SSL-support on the command lines 
on any of these? The options for check_nrpe_ssl are given above, 
nrpe_ssl is started as "./nrpe_ssl -c nrpe.cfg -d"

* Incorrect file permissions: The nrpe.cfg is readable, it's the exact 
same file I'm using both when running in non-SSL mode and in SSL-enabled 
mode.

* Pseudo-random device files are not readable: yes, they're world 
readable. Here's how they are on the nagios-server:
crw-r--r--   1 root     sys      190,  0 Aug 18 07:12 
/devices/pseudo/random at 0:random
crw-r--r--   1 root     sys      190,  1 Oct 17 09:07 
/devices/pseudo/random at 0:urandom

And here's how they are on 192.168.1.2:
crw-r--r--   1 root     sys      259,  0 May 30  2003 
/devices/pseudo/random at 0:random
crw-r--r--   1 root     sys      259,  1 May 30  2003 
/devices/pseudo/random at 0:urandom

* Unallowed address: I'm not running under xinetd. The nrpe.cfg file on 
192.168.1.2 lists the server as allowed_hosts:
allowed_hosts=192.168.1.4
(192.168.1.4 is the IP-address of the nagios server)

I have also seen FAQ entry 261, it mentions also tcp-wrappers, but I 
think this can be ruled out since:
- I'm not aware of anything that should cause me to use these
- I can make a telnet connection to the port 5666, both with non-SSL and 
SSL-enabled nrpe running.

Does anyone have any idea what I might be doing wrong? And suggestions 
on things I might try?

-- 
Regards
Eivind Olsen
<eivind at aminor.no>


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Relation between freshness_threshold and timeperiods
Next message: Problems with check_nrpe+SSL, and I have read the FAQ
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list