Search code examples
javasslnagiosnrpe

CHECK_NRPE: Error - Could not complete SSL handshake (web)

I have a local Nagios Server and I'm trying to configure it to monitor my tomcat8 server with check_jvm, so I can control the memory and classes used by Java.

To do so I installed the check_nrpe plugin on the client, and configured it but I'm having an 'odd' error.

If I try to call the plugin on the client from my server, it answers correctly, even using check_jvm commands as parameter.

But when I configure it so nagios do the check on his own, the web browser returns a "CHECK_NRPE: Error - Could not complete SSL handshake" for that service specifically.

This is what I have:

From my nagios server

# /usr/local/nagios/libexec/check_nrpe -H <client.ip>
NRPE v2.12
# /usr/local/nagios/libexec/check_nrpe -H <client.ip> -c tomcat_heap
OK 799998504 |max=2101870592;;; commited=2101870592;;; used=799998504;;;

Where tomcat_heap is the name of a command defined in nrpe.cfg at the client in order to use the check_jvm plugin.

command[tomcat_heap]=sudo /usr/local/nagios/libexec/check_jvm -n org.apache.catalina.startup.Bootstrap -p heap -w 1700000000 -c 2000000000

Now, back again on my Nagios server, this is the service definition

define service{
          use                   generic-service
          host_name             lin-des
          service_description   Tomcat heap
          check_command         check_nrpe!tomcat_heap
          }

Now, this returns a 'CHECK_NRPE: Error - Could not complete SSL handshake' on the web app.

I've checked the allowed_hostson the nrpe.cfgfile, as well as on /etc/xinetd.d/nrpe, so it includes my nagios server IP.

I've also checked Selinux and Iptables configuration.

I've also checked that both my Nagios server, and the client share the same version of the ssl libraries.

Lastly, I've checked all the permissions on /usr/local/nagios/libexec on both the server and the client, so the user nagios have the ownership of them.

At this point, I ran out of ideas, and that's why I'm asking you. Any ideas on where the problem may be?

Solution

  • Found it.

    It seems when I defined the check_nrpe command in the command.cfg, I made a mistake on the command line.

    define command{
      command_name check_nrpe
      command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -p 5656 -t 30 -c $ARG1$
}

    As you can see, I defined the command to work on the port 5656 which isn't the port used by the nrpe service (it actually is 5666).

    After fixing this error, everything runs properly.

    I hope this helps to anyone with similar problems.