Share, , Google Plus, Pinterest,

Print

Posted in:

CHECK_NRPE: Error – Could not complete SSL handshake

31 Comments

If you know about “CHECK_NRPE: Error – Could not complete SSL handshake” error then you are probably running Nagios in your environment. Well I am too … and after a successfull Nagios configuration – adding a new client to configuration (read more about this in my Nagios configuration post) and setting up the configuration on the client side also, i also got “CHECK_NRPE: Error – Could not complete SSL handshake” in my Nagios.

In this post i will explain why Nagios is getting this error and what to do to fix it!

Nagios logo
Nagios logo

How To fix “CHECK_NRPE: Error – Could not complete SSL handshake” guide!

Step 1: “CHECK_NRPE: Error – Could not complete SSL handshake” is usually (always from what i’ve seen) a client side problem.

Step 2: Nagios client holds the file nrpe.cfg (provided by nagios-nrpe or nrpe package) usually at location /etc/nagios/nrpe.cfg (if installed from RPM).

Step 3: To FIX “CHECK_NRPE: Error – Could not complete SSL handshake” problem you need to edit nrpe.cfg file and the line allowed_hosts.

By default nrpe.cfg allowed_hosts line only holds localhost address:

allowed_hosts=127.0.0.1

You need to add the address one or more of your Nagios servers – separate it with commas:

allowed_hosts=127.0.0.1,192.168.1.100

Step 4: ..do not forget to restart nrpe service!

[root@foo1 ~]# service nrpe restart
Shutting down Nagios NRPE daemon (nrpe):                   [  OK  ]
Starting Nagios NRPE daemon (nrpe):                        [  OK  ]

Now your Nagios shouldn’t show “CHECK_NRPE: Error – Could not complete SSL handshake” error for this client anymore!!

TEST: You can test this from your Nagios server by finding and running check_nrpe script (syntax: check_nrpe -H CLIENTIPADDR):

[root@foo1 ~]# /usr/lib/nagios/plugins/check_nrpe -H 192.168.61.149
CHECK_NRPE: Error - Could not complete SSL handshake.
[root@foo1 ~]# vi /etc/nagios/nrpe.cfg
[root@foo1 ~]# service nrpe restart
Shutting down Nagios NRPE daemon (nrpe):                   [  OK  ]
Starting Nagios NRPE daemon (nrpe):                        [  OK  ]
[root@foo1 ~]# /usr/lib/nagios/plugins/check_nrpe -H 192.168.61.149
NRPE v2.14

If the response to this test is NRPE version of the client, the connection is OK!

UPDATE (Thanks to Stefano Costa):

If you are running the NRPE daemon under either inetd or xinetd the option allowed_hosts in the file nrpe.cfg is ignored. You should instead change the configuration of the service, for example, if you use xinetd, edit the only_from directive in the file /etc/xinetd.d/nrpe.

Tagged with: , , , ,

Share, , Google Plus, Pinterest,

  • Ahmed

    Thanks for the tip

    Kind Regards

  • Samuel

    Thanks! This really helps!
    When I add zenoss host to the allowed host list in client nrpe.cfg, I can use check_nrpe in Zenoss now.

    • Mitch

      Hello Samuel! Thanks for the info! I haven’t tried it with zenoss yet. Glad it helped and good to know!

      Regards Mitch

  • Pingback: CHECK_NRPE: Error - Could not complete SSL handshake.()

  • Stefano Costa

    Thanks for the info! For completeness, you could mention that if you are running the NRPE daemon under either inetd or xinetd the option allowed_hosts in the file nrpe.cfg is ignored. You should instead change the configuration of the service, for example, if you use xinetd, edit the only_from directive in the file /etc/xinetd.d/nrpe.

    • Mitch

      Hi Stefano, sorry for the late reply and thanks for your suggestion. Will go through CHECK_NRPE post again and add it soon!

      Regards,
      Mitch

      • Robert

        Hi Mitch please update this with the xinetd information I didn’t see Sefeano’s comments till I found the problem myself in /etc/xinetd.d/nrpe and went to post a comment here.

        • Mitch

          Thanks for the reminder Robert and thanks to Stefano for point it out! I updated the post for future readers. Thanks again to both of you! Regards, Mitch

  • Misconfiguration in the nrpe.cfg file can also cause this error.

  • Siddhesh

    Use follwoing version:
    nagios 3.2.0
    nagios-plugins-1.4.16
    nrpe-2.12
    I down graded the nagios plugin nrpe version.Its works.

  • saraswathi

    thanks,its working for me

    • Mitch

      Thanks Saraswahti!

  • Muni

    I have the same error .. please help me..

  • Rana

    Thanks for the Tip..

  • Thanks! it works! 🙂

  • Kalyanasuindaram

    hi,

    I have done same steps, still I’m receiving this errror

    [root@localhost nagios]# /usr/lib/nagios/plugins/check_nrpe -H 10.10.1.250
    connect to address 10.10.1.250 port 5666: Connection refused
    and nagios webpage is showing .
    check_nrpe error could not complete ssl for all services.
    could you please help to come out this iusse..

    –Kalyan

    • Mitch

      Hi, could this be firewall/iptables problem? Can you test connection to the client port 5666 from Nagios server. Regards, Mitch

  • adrien

    Thx for help

    Adrien

  • Kyle

    nrpe 2.15, nagios-plugins 2.0.2, Ubuntu 14.04.

    I didn’t see anyone mention this above. I had allowed_hosts with 127.0.0.1 but “check_nrpe -H localhost” was still saying it couldn’t complete the SSL handshake. I happened to glance at a window that still had syslog running from a previous task and saw “nrpe[2332]: Host ::1 is not allowed to talk to us!”.

    So apparently allowed_hosts now needs to include “::1”. I made that addition and all is well.

  • Michael Kjærstad

    A small, but very important detail about this, and that is that /etc/hosts.allow also must be updated. If the nagios/icinga machines isn’t listed here, they will get the same error

    • Mitch

      Thanks for the update Michael! This should help somebody.

    • Sorin Srbu

      Thanks Michael, saved the day – and my hair… 😎

  • yuletak

    If running from xinetd, just use spaces to separate the hosts.

  • Another thanks! just fixed an RHEL client and an Ubuntu. In the latter case you restart NRPE with:

    sudo service nagios-nrpe-server restart

  • piwwo

    You confuse nrpe server and client here. The server runs on the computer you want to have monitored by nagios and the nrpe client runs on the nagios monitor.

  • tmooredba

    A little late to the party, but I had the same issue today. You will need to ensure SELINUX is not set to ‘enforcing’ in /etc/selinux/config. It can be set to ‘disbaled’, but if this is a production system then it may be best to do it properly and set the appropriate privileges for your NRPE/Nagios user on the system being monitored (the ‘server’ nrpe process). See here for more info:

    https://wiki.centos.org/HowTos/SELinux

    Hope this helps someone! 🙂

  • Pingback: How To Test Check_nrpe | Provesstar2()

  • Rich Johnson

    Just wanted to say thank you for posting this. We just deployed a new Nagios remote poller, and it could not check itself because I had neglected to add its own IP address in its cfg file.

  • Pingback: nagios监控服务DIY小记 | 老靳的博客()

  • Ankit Chaubey

    Thanks a lot for saving my life brave man.. you just nailed it.. i’ve been working on it for the whole day.. there were other issues too, as i installed on
    my client machine for the first time.. but this one was really screwing me up.. Thanks again..

  • Patrick Ilunga

    thanks it works well