NRPE SSL issue


#1

Hi everyone -

I’m having an issue with SSL on a Centos 5x Nagios server (Nagios version 3.1) and a Nagios NRPE daemon on two remote hosts.

The issue is the usual "SSL handshake " one –

However – I installed NRPE from apt-get on one remote host and yum install on the other.
I believe the defaults are to use SSL in those cases, which is fine.

I know my main Nagios server has had trouble with SSL before -
I use NSClient++ on a number of Windows servers with NRPE configured, and
some of them seem to require the NSC.ini file to contain
"use_ssl=0" to be configured.

Obviously, the problem is with SSL on my host Nagios server - the one which runs check_nrpe
against various hosts.

How can I figure out what’s wrong with SSL on that server and fix it?

I have the config correct on the remote servers for nrpe.cfg and NSC.ini —
I’m seeing logged entries for the host Nagios server coming and trying to run commands, or just
get the NRPE version.
so I’m certain that allowed_hosts is correct.

Plus, I’m seeing the behaviour on several remote clients, so I don’t think it’s an issue
for multiple remote hosts running NRPE as a service.

I see lots of discussion of recompiling nrpe not to use SSL, etc.

I’d like to stick to yum and apt based installs, and more importantly, I’d like to figure out the
underlying reason my Nagios server sometimes cannot use SSL in NRPE requests…

Thanks for any SSL advise !

T


#2

I tried this idea out –

I installed nagios-plugins on the remote NRPE host itself – the one running the nrpe daemon
I then added the server’s own IP to the allowed_hosts directive.

A run of
/usr/lib/nagios/plugins/check_nrpe -H localhost
returns the NRPE version

/usr/lib/nagios/plugins/check_nrpe -H 192.168.0.ABC
FAILS!

It cannot even talk to itself on it’s OWN IP!

This may still be an NRPE daemon side issue –
If check_nrpe on the same box won’t work, I certainly cannot expect it to talk to a remote server.

A ‘netstat’ does not show NRPE running on EITHER interface, nor does Nmap show port 5666 open
on either interface.

Yet it does work on localhost!

weird…