[Error]: Error - Could not complete SSL handshake. ON LOCALHOST

Question

All of the questions about this error show people running check_nrpe -H [some_remote_ip], in contrast to an error-free run on localhost.

I, however, can't even get this to run on localhost:

$> ./check_nrpe -H localhost
CHECK_NRPE: Error - Could not complete SSL handshake.

The service does appear to be up and running:

$> sudo netstat -apn | grep :5666
tcp        0      0 0.0.0.0:5666            0.0.0.0:*        LISTEN      5847/nrpe
tcp6       0      0 :::5666                 :::*             LISTEN      10216/nrpe

And the daemon returns no errors

$> sudo service nagios-nrpe-server status
* nagios-nrpe is running

My nrpe.cfg file has allowed_hosts set correctly:

allowed_hosts=127.0.0.1,10.0.1.2,0.0.0.0

Contents of /var/log/syslog with debugging turned on:

Nov  1 22:54:44 <MYHOST> nrpe[11156]: Connection from ::1 port 6601
Nov  1 22:54:44 <MYHOST> nrpe[11156]: Host ::1 is not allowed to talk to us!
Nov  1 22:54:44 <MYHOST> nrpe[11156]: Connection from ::1 closed.

Does anyone have any idea what's going on, this seems almost nonsensical. Thanks!

Answer 1

I am not sure if it is still relevant, but I had the same issue and discovered someone had changed the /etc/hosts.allow file, blocking the access. Somehow this results in the following errors:

Client: Connection refused by TCP wrapper
Server: Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with <Client IP> : rc=-1 SSL-error=5

Changing the /etc/hosts.allow file solved the issue.

Answer 2

I think that check_nrpe is trying to use IPv6.

The IPv6 localhost ip is ::1, so adding this to your allowed_hosts= line in _nrpe.cfg_ and restarting nrpe will tick this box for you.

Alternatively as another responder replied you can just add -4 to your check_nrpe command to force it to stick to IPv4.

I was having the same issue and it's only when I saw the ::1 in the question it dawned on me what was happening.

Answer 3

Note that my example may be different than yours.

First change to the folder having your nrpe command and run:

./nrpe --version

The output from that command will look something like this:

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: nrpe-3.0
Last Modified: 07-12-2016
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available, OpenSSL 0.9.6 or higher required

Notice that the last line tells you that SSL is indeed supported by this build of NRPE. If it is not there, then you'll have to install a version that was compiled with SSL support (which may mean compiling one of for yourself, depending on where you got it). The docs for the source code are pretty clear on how this is done.

If you DO have the SSL line above, look at the required version on the line and check your system to be sure that at least that version has been installed. I used this command:

rpm -qa | grep openssl

And received output looking like this:

libopenssl1_0_0-32bit-1.0.1k-2.39.1.x86_64
openssl-1.0.1k-2.39.1.x86_64

Both openssl and libopenssl are required for NRPEs SSL support to function correctly. I strongly recommend that if these are not installed, to use your systems package installer (aptget, yum, zypper, ...) to fetch and install them. If these are already installed, but you still have errors, then you will likely have a configuration issue in:

/etc/ssl/openssl.cnf

Fixing that is well outside of the scope/space available here. I recommend to upgrade both of these via a working, on-line package - these packages always include a default configuration which should work fine with NRPE - assuming the version is equal to or higher than required.