[Nagiosplug-devel] FW: [Nagios-checkins] SSL error for NRPE

Arnold Wang awang at qrs.com
Mon Aug 16 10:40:07 CEST 2004


Thanks for looking into this problem. I didn't spend a lot of times during
the weekends on this problem. However, I did try the agent on another AIX
machine and everything worked fine there. This tells me the problem is local
in that machine, I'm not sure whether it's related to the basic SSL because
two reasons. First, the agent works fine as a stand alone daemon. Second,
SSH works fine on that machine, which also relies on SSL. 
I wonder how the agent behaviors differently in stand alone mode and inetd
mode on encryption. I would assume this should help me to find out what's
the problem in the system.

-----Original Message-----
From: Tim Brazil [mailto:brazil at sendmail.com] 
Sent: Friday, August 13, 2004 3:53 PM
To: Arnold Wang
Subject: Re: [Nagiosplug-devel] FW: [Nagios-checkins] SSL error for NRPE

Hi Arnold

I've been really busy today and haven't been able to get a chance to 
think about your issue. I'm heading out early for the weekend. It sounds 
like you have a basic ssl issue. All I can do at this point is recommend 
you search on the internet using the error you got returned from the 
debug output.  I'm sure this has been experienced by someone else before.

If you really get stuck and decide to not use ssl you can re-compile 
your nrep without it using configure  --disable-ssl.
If you don't have is figured out by Monday, perhaps I can look into it 
further.

Sorry
Tim

Arnold Wang wrote:

>It looks like I'm having trouble to send to the list. Here are the two
>e-mails I send early, I hope you can them this time. Thanks for you help. 
>
>-----Original Message-----
>From: Tim Brazil [mailto:brazil at sendmail.com] 
>Sent: Friday, August 13, 2004 2:11 PM
>To: Arnold Wang
>Cc: nagiosplug-devel at lists.sourceforge.net
>Subject: Re: [Nagiosplug-devel] FW: [Nagios-checkins] SSL error for NRPE
>
>The way you may be able to figure it out is via debug output from 
>openssl s_client. Make sure your client and server share the same cyphers
>
>/usr/bin/openssl s_client -connect <yourhost>:5666 -debug
>
>
>Arnold Wang wrote:
>
>  
>
>>I posted the following message to the checkins list and haven't 
>>received any response yet, I hope I can get some helps here.
>>
>>------------------------------------------------------------------------
>>
>>*From:* Arnold Wang
>>*Sent:* Friday, August 13, 2004 11:51 AM
>>*To:* nagios-checkins at lists.sourceforge.net
>>*Subject:* [Nagios-checkins] SSL error for NRPE
>>
>>I received the following error "CHECK_NRPE: Error - Could not complete 
>>SSL handshake." when I tried to run check_nrpe from the monitoring 
>>host. The monitoring host is running RedHat Enterprise 3.0 and the 
>>monitored host is running AIX 5.3. The problem only happens if I run 
>>nrpe in inetd mode. If I run nrpe as a separate daemon, with -d 
>>option, it's working fine.
>>
>>Thanks in advance for your help.
>>
>>    
>>
>
>
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> RE: [Nagiosplug-devel] FW: [Nagios-checkins] SSL error for NRPE
> From:
> "Arnold Wang" <awang at qrs.com>
> Date:
> Fri, 13 Aug 2004 13:34:46 -0700
> To:
> "Tim Brazil" <brazil at sendmail.com>
>
> To:
> "Tim Brazil" <brazil at sendmail.com>
>
>
>Here is what it looks like in inetd.conf:
>nrpe   stream  tcp     nowait  nagios  /usr/local/nagios/bin/nrpe
>/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i
>
>
>The nrpe.cfg file looks like this, which I believed used when I run nrpe -d
>mode:
>server_port=5666
>allowed_hosts=127.0.0.1,10.17.2.88
>nrpe_user=nagios
>nrpe_group=nagios
>dont_blame_nrpe=0
>debug=0
>command_timeout=60
>command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
>command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c
>30,25,20
>command[check_disk1]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p
>/dev/hd
>a1
>command[check_disk2]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p
>/dev/hd
>b1
>command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c
10
>-s 
>Z
>command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c
>200 
>
>-----Original Message-----
>From: Tim Brazil [mailto:brazil at sendmail.com] 
>Sent: Friday, August 13, 2004 1:29 PM
>To: Arnold Wang
>Subject: Re: [Nagiosplug-devel] FW: [Nagios-checkins] SSL error for NRPE
>
>Just a guess... are you running the inetd process as the nagios user?
>
>nrpe stream tcp nowait nagios /usr/sbin/tcpd /usr/sbin/nrpe -c 
>/usr/local/nagios/etc/nrpe.cfg -i
>
>
>Arnold Wang wrote:
>
>  
>
>>I posted the following message to the checkins list and haven't 
>>received any response yet, I hope I can get some helps here.
>>
>>------------------------------------------------------------------------
>>
>>*From:* Arnold Wang
>>*Sent:* Friday, August 13, 2004 11:51 AM
>>*To:* nagios-checkins at lists.sourceforge.net
>>*Subject:* [Nagios-checkins] SSL error for NRPE
>>
>>I received the following error "CHECK_NRPE: Error - Could not complete 
>>SSL handshake." when I tried to run check_nrpe from the monitoring 
>>host. The monitoring host is running RedHat Enterprise 3.0 and the 
>>monitored host is running AIX 5.3. The problem only happens if I run 
>>nrpe in inetd mode. If I run nrpe as a separate daemon, with -d 
>>option, it's working fine.
>>
>>Thanks in advance for your help.
>>
>>    
>>
>
>  
>
>
> ------------------------------------------------------------------------
>
> Subject:
> RE: [Nagiosplug-devel] FW: [Nagios-checkins] SSL error for NRPE
> From:
> "Arnold Wang" <awang at qrs.com>
> Date:
> Fri, 13 Aug 2004 14:29:02 -0700
> To:
> "Tim Brazil" <brazil at sendmail.com>
>
> To:
> "Tim Brazil" <brazil at sendmail.com>
> CC:
> nagiosplug-devel at lists.sourceforge.net
>
>
>Here is the output, which is beyond me to interpret.
>[root at rcarhld01 /]# openssl s_client -connect rcaaixd02:5666 -debug
>CONNECTED(00000003)
>write to 080AD2F8 [080AD340] (142 bytes => 142 (0x8E))
>0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00   ......c... ..9..
>0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
>0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00   ..3..2../.....f.
>0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00   .............c..
>0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40   b..a...........@
>0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00   ..e..d..`.......
>0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 d1 1c   ................
>0070 - cc d9 8f 5d 03 e5 47 6f-03 87 0d d3 4b 9c b7 49   ...]..Go....K..I
>0080 - 99 1e 4d a1 d7 88 b8 42-cb 2e 28 a9 c5 be         ..M....B..(...
>read from 080AD2F8 [080B28A0] (7 bytes => 0 (0x0))
>15787:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>failure:s23_lib.c:226:
>
>The following is the output when I run nrpe -d on the remote host.
>[root at rcarhld01 libexec]# openssl s_client -connect rcaaixd02:5666 -debug
>CONNECTED(00000003)
>write to 080AD2F8 [080AD340] (142 bytes => 142 (0x8E))
>0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00   ......c... ..9..
>0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
>0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00   ..3..2../.....f.
>0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00   ............c..
>0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40   b..a...........@
>0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00   ..e..d..`.......
>0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 e4 c0   ................
>0070 - de c2 fd f6 10 55 22 dc-3d fc d2 40 e3 4b db 60   .....U".=.. at .K.`
>0080 - 6d d6 35 30 4b 05 50 58-71 e0 47 e1 d6 ec         m.50K.PXq.G...
>read from 080AD2F8 [080B28A0] (7 bytes => 7 (0x7))
>0000 - 15 03 01 00 02 02 28                              ......(
>16818:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
>handshake failure:s23_clnt.c:470:
>-----Original Message-----
>From: Tim Brazil [mailto:brazil at sendmail.com] 
>Sent: Friday, August 13, 2004 2:11 PM
>To: Arnold Wang
>Cc: nagiosplug-devel at lists.sourceforge.net
>Subject: Re: [Nagiosplug-devel] FW: [Nagios-checkins] SSL error for NRPE
>
>The way you may be able to figure it out is via debug output from 
>openssl s_client. Make sure your client and server share the same cyphers
>
>/usr/bin/openssl s_client -connect <yourhost>:5666 -debug
>
>
>Arnold Wang wrote:
>
>  
>
>>I posted the following message to the checkins list and haven't 
>>received any response yet, I hope I can get some helps here.
>>
>>------------------------------------------------------------------------
>>
>>*From:* Arnold Wang
>>*Sent:* Friday, August 13, 2004 11:51 AM
>>*To:* nagios-checkins at lists.sourceforge.net
>>*Subject:* [Nagios-checkins] SSL error for NRPE
>>
>>I received the following error "CHECK_NRPE: Error - Could not complete 
>>SSL handshake." when I tried to run check_nrpe from the monitoring 
>>host. The monitoring host is running RedHat Enterprise 3.0 and the 
>>monitored host is running AIX 5.3. The problem only happens if I run 
>>nrpe in inetd mode. If I run nrpe as a separate daemon, with -d 
>>option, it's working fine.
>>
>>Thanks in advance for your help.
>>
>>    
>>
>
>  
>






More information about the Devel mailing list