SSL compatibility problems between clients and servers

[amateo]

I'm trying to run a 4.0.3 nrpe client with an old nrpe server (v2.15 provided in packages of Ubuntu 16.04).

The problem I have is that I'm having the error:

CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 155.54.212.35: 1

The client IP is listed in allowed_hosts of the server (I have checked it and I have a log line with Host address is in allowed_hosts). In the server I have the logs:

May 20 14:45:47 mustela10 nrpe[56539]: Host address is in allowed_hosts
May 20 14:45:47 mustela10 nrpe[56539]: Handling the connection...
May 20 14:45:47 mustela10 nrpe[56539]: Error: Could not complete SSL handshake. 1
May 20 14:45:47 mustela10 nrpe[56539]: Connection from  closed.

I have tried with different combinations of -S, -d and/or -l options.

Any idea?

[joshua-martinez95]

I'm having similar issues, have you found a solution? NRPE server is on Red hat 7.9, client is on 8.4.

I've even tried to build from source on the 8.4 machine and I get this error: Checking whether compiling and linking against SSL works..... configure: error: no

[sawolf]

This response is probably much later than you would have liked, but I'd recommend setting ssl_logging=-1 in your nrpe.cfg and then restarting/retrying the check_nrpe query. The log should give more detailed information about which functions failed and why.

[Shadok]

It's the same issue with nrpe client on old linux server (Ubuntu 14, nagios-nrpe-server 2.15). If you use the current check_nrpe (4.0.0), it won't work whatever option you're using, despite whats the officiel documentation is saying (https://support.nagios.com/kb/article/nrpe-v3-v4-compatibility-with-previous-versions-516.html) :

# /usr/lib/nagios/plugins/check_nrpe -2 -H 10.5.250.165 -c check_disk -a 400 300 /
CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with 10.5.250.165: 1

# /usr/lib/nagios/plugins/check_nrpe -V
NRPE Plugin for Nagios
Version: 4.0.0

But, if you keep the old check_nrpe, it works in all cases :

# /usr/local/lib/nagios/plugins/check_nrpe.ori -H 10.5.250.165 -c check_disk -a 400 300 /
DISK OK - free space: / 894 MB (33% inode=55%);| /=1808MB;2451;2551;0;2851

# /usr/local/lib/nagios/plugins/check_nrpe.ori -V
/usr/local/lib/nagios/plugins/check_nrpe.ori: invalid option -- 'V'

NRPE Plugin for Nagios
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013

[Shadok]

With debug enabled on the client, we don't have more useful informations, here's the differences with a call from the old check_nrpe, and the new one with the -2 option :

nrpe[4846]: Connection from 10.5.236.21 port 61103
nrpe[4846]: Host address is in allowed_hosts
nrpe[4846]: Handling the connection...
nrpe[4846]: Host is asking for command 'check_disk' to be run...
nrpe[4846]: Running command: /usr/lib/nagios/plugins/check_disk -w 400 -c 300 -p /
nrpe[4846]: Command completed with return code 0 and output: DISK OK - free space: / 894 MB (33% inode=55%);| /=1808MB;2451;2551;0;2851
nrpe[4846]: Return Code: 0, Output: DISK OK - free space: / 894 MB (33% inode=55%);| /=1808MB;2451;2551;0;2851
nrpe[4846]: Connection from ⚌⚌#027q closed.

nrpe[4852]: Connection from 10.5.236.21 port 2742
nrpe[4852]: Host address is in allowed_hosts
nrpe[4852]: Handling the connection...
nrpe[4852]: Error: Could not complete SSL handshake. 1
nrpe[4852]: Connection from ⚌⚌#027q closed

[Shadok]

Same issue with check_nrpe 4.1.

[snathan9]

Having the same issue. Hoping the "-2" option that offers compatibility with version 2 can be fixed to resolve. Unable to use latest nrpe without upgrading ALL servers. Is there a way to compile older version of just the nrpe client?