Having trouble with the NRPE SSL handshake error?

Usually, this occurs when the NRPE server has problems communicating with the Nagios server.

At Bobcares, we often fix nrpe ssl handshake errors as a part of our Server Management Services.

Today, let’s have a look for the reason of this error. We’ll also see how our Support Engineers fix this error.

NRPE SSL handshake error – How it appears?

The error ‘CHECK_NRPE: Error – Could not complete SSL handshake’ is a common problem found while accessing remote hosts from the nagios server.

For instance, the error appears as follows.

Here, the SSL handshake process between the NRPE daemon and Nagios server fails to complete. The top reasons for the error include incorrect Nagios IP configuration or missing SSL support in NRPE.

Let’s detail how our Support Engineers help the customers in fixing this error.

How we fix SSL handshake error

At Bobcares, where we have more than a decade of expertise in managing servers, we see many customers face problems with the NRPE handshake error.

Now, let’s see how our Support Engineers fix this error.

1. Proper defining of Nagios server’s IP address

A common fix for the SSL handshake error is setting the Nagios server IP address correctly. This again depends on how NRPE runs on the server.

It can either run using xinetd or as a dedicated daemon.

Recently when a customer reported the NRPE SSL handshake error, xinetd daemon was responsible for NRPE. Therefore, we corrected the Nagios server’s IP address for communicating with NRPE with the below steps.

Initially, we confirmed the existence of the nrpe daemon under xinetd.

ls -la /etc/xinetd.d/nrpe

If this command results in the following, then it indicates xinetd.

-rw-r--r--. 1 root root 483 Feb 22 12:23 /etc/xinetd.d/nrpe

XINETD defines Nagios IP address

We added the Nagios server’s IP address to the xinetd NRPE configuration file.

/etc/xinetd.d/nrpe

Then we entered the file and edited this file to add the Nagios server IP address. We changed,

only_from = 127.0.0.1

to

only_from = 127.0.0.1 <Nagios server ip>

On servers using IPv6, we set it as

only_from = 127.0.0.1 ::1 <Nagios server ip>

After making changes, we restarted the xinetd service on the remote host.

service xinetd restart

And that fixed the problem.

NRPE.CFG defines Nagios IP address

In servers where NRPE uses a dedicated daemon, it shows missing /etc/xinetd.d/nrpe file.

ls: cannot access /etc/xinetd.d/nrpe: No such file or directory

Here, we then add the Nagios server’s IP address to the nrpe.cfg configuration file at /usr/local/nagios/etc/nrpe.cfg

We edit the line in the configuration file.

allowed_hosts=127.0.0.1

to,

allowed_hosts=127.0.0.1,<Nagios XI server ip>

Here we add the customer’s actual Nagios server IP address in place of <Nagios XI server ip>.

Finally, restart the NRPE service.

service nrpe restart

2. NRPE compiling with SSL

Besides, this error can also occur when NRPE was not compiled with SSL.

Therefore, to fix it, we then recompile NRPE with SSL.

We log in to the user’s NRPE source directory (usually in /tmp/nrpe-2.15 if you followed the compiling NRPE from source document) and re-compiled using the –enable-ssl flag.

cd /tmp/nrpe-2.14(according to version)
./configure --enable-ssl
make all
make install

In case, if it’s installed from a corporate build or a package repo, we have to either uninstall the current NRPE package and install it from the source.

That resolves the NRPE SSL handshake error and Nagios starts monitoring the server again.

[Still having NRPE SSL handshake error? – We will fix it for you.]

Conclusion

In short, the NRPE SSL handshake error happens when the NRPE server has trouble communicating with the Nagios server. Today, we saw how our Support Engineers rectified this by adding Nagios server IP into the correct nrpe configuration file.