Solaris 9 - NRPE - Could not complete SSL handshake

Hi everyone,

I did not find anything helpful so here is my (quite) classical issue :

I’m trying to configure NRPE plugin between two solaris servers (one is the monitoring server, one is the remote host)

I’ve downloaded and compiled NRPE 2.9 with SSL

/usr/local/nagios/bin# ldd nrpe

    libssl.so.0.9.7 =>       /usr/local/lib/libssl.so.0.9.7
    libcrypto.so.0.9.7 =>    /usr/local/lib/libcrypto.so.0.9.7
    libnsl.so.1 =>   /usr/lib/libnsl.so.1
    libsocket.so.1 =>        /usr/lib/libsocket.so.1
    libc.so.1 =>     /usr/lib/libc.so.1
    libdl.so.1 =>    /usr/lib/libdl.so.1
    libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
    libmp.so.2 =>    /usr/lib/libmp.so.2
    /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1

Nrpe daemon is started by inetd on the remote host, here is the line in inetd.conf :

Nagios NRPE Daemon

nrpe stream tcp nowait nagios /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -i

When I try to talk to it from the other server with the proper binary (2.9) (as mentioned in documentation) :

./check_nrpe -H <remote_host>

CHECK_NRPE: Error - Could not complete SSL handshake.

I found some stuff on nagios.org like this one nagios.org/faqs/viewfaq.php?faq_id=191 but I checked everything and it still doesn’t work.

When I try to disable SSL (in inetd.conf and when I run the client side command) I got the following :
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

My /var/log/syslog doesn’t record anything.

Any idea ?

Addendum :

Everything works fine if I run the nrpe daemon as standalone daemon.

!???

when you’re running the standalone daemon, you’re starting it as root i assume, and its working. so the problem lies in inetd. I see it’s trying to run nrpe as the user “nagios”. does the nagios user exist? is the nagios user allowed to run /usr/local/nagios/bin/nrpe ?

you probably already know this, but remember to restart inetd after config changes.

can you do a netstat -pantu and see if inetd is listening on 5666 (nrpe’s default port)? not sure if you have to do this with solaris, but on RHEL you should add “nrpe 5666/tcp” to /etc/services…

Lemme know if any of that helps

Thanks for your input.

Yes, on standalone mode I launch the process from root account but the configuration file (/usr/local/nagios/etc/nrpe.cfg) tells to run it as nagios user and it works fine : when I check with ps the process is running with nagios account.

I’ve made a lot of testing and I’ve never forget to restart inetd. I think its configuration is good because I receive a “connection refused” when it is not yet configured. As soon as the inetd.conf and services files are setup I have this handshake error. It means the nrpe process answers but something is wrong and I don’t know what.

The nrpe binary is dynamically linked with SSL libs, it may have trouble to find them when launched by inetd !??

I’ll give it a new try on monday as I’m on we right now :frowning:

I’ve made a new try with a shell encapsulating the call to nrpe binary. It allows me to define the LD_LIBRARY_PATH just in case the nrpe binary was not able to find the SSL libs. But it didn’t change anything.

I still have the handshake error …

Hi,

Try disabling SSL alltogether by inserting a “-n” in the nrpe command line.