CHECK_NRPE:错误 - 无法完成SSL握手
[英]CHECK_NRPE: Error - Could not complete SSL handshake
问题描述
I have NRPE daemon process running under xinetd on amazon ec2 instance and nagios server on my local machine. 
我在我的本地机器上的amazon ec2实例和nagios服务器上的xinetd下运行NRPE守护程序进程。
The check_nrpe -H [amazon public IP] gives this error: check_nrpe -H [amazon public IP]给出了这个错误:
CHECK_NRPE: Error - Could not complete SSL handshake.
Both Nrpe are same versions. 两个Nrpe都是相同的版本。 Both are compiled with this option: 两者都使用此选项进行编译:
./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu/
"allowed host" entry contains my local IP address. “allowed host”条目包含我的本地IP地址。
What could be the possible reason of this error now?? 现在这个错误的可能原因是什么?
14 个解决方案
解决方案1
11 2014-11-07 03:20:54
If you are running nrpe as a service, make sure you have this line in your nrpe.cfg on the client side: 如果您正在将nrpe作为服务运行,请确保在客户端的nrpe.cfg中包含以下行:
# example 192. IP, yours will probably differ
allowed_hosts=127.0.0.1,192.168.1.100
You say that is done, however, if you are running nrpe under xinetd, make sure to edit the only_from directive in the file /etc/xinetd.d/nrpe . 你说已经完成,但是,如果你在xinetd下运行nrpe,请确保编辑文件/etc/xinetd.d/nrpe的only_from指令。
Don't forget to restart the xinetd service: 不要忘记重启xinetd服务:
service xinetd restart
解决方案2
2 已采纳 2014-01-07 20:43:40
To check if you have access to it at all attempt a simple telnet on the address:port, a ping or traceroute to see where it is blocking. 要检查您是否有权访问它,请尝试在地址:端口上执行简单的telnet,ping或traceroute以查看阻塞的位置。
telnet IP port
ping IP
traceroute -p $port IP
Also check on the target server that the nrpe daemon is working properly. 还要检查目标服务器上nrpe守护程序是否正常工作。
netstat -at | grep nrpe
You also need to check the versions of OpenSSL installed on both servers, as I have seen this break checks on occasion with the SSL handshake! 您还需要检查两台服务器上安装的OpenSSL的版本,因为我已经看到这种断开检查有时会进行SSL握手!
解决方案3
2 2016-02-16 07:40:53
@jgritty was right. @jgritty是对的。 you should edit nrpe.cfg and nrpe config files to allow your master nagios server's access: 你应该编辑nrpe.cfg和nrpe配置文件,以允许你的主nagios服务器访问:
vim /usr/local/nagios/etc/nrpe.cf
allowed_hosts=127.0.0.1,172.16.16.150
and 和
vim /etc/xinetd.d/nrpe
only_from= 127.0.0.1 172.16.16.150
解决方案4
1 2013-12-13 14:12:08
That's somewhat of a catch-all error message for NRPE. 对于NRPE来说,这有点像是一个包罗万象的错误信息。 Check your firewall rules and make sure that port is open. 检查防火墙规则并确保端口已打开。 Also try disabling SELinux and seeing if that lets the connection through. 还尝试禁用SELinux并查看是否允许连接通过。 It's likely not an SSL issue, but just an issue with the connection being refused. 这可能不是SSL问题,只是连接被拒绝的问题。
解决方案5
1 2014-11-09 09:24:42
check your /var/sys/system.log . 检查你的/var/sys/system.log 。 In my case, it turned out my monitored IP was set to something else than the one I set in nrpe.cfg file. 在我的例子中,事实证明我的监控IP设置为我在nrpe.cfg文件中设置的IP。 I don't know the cause of this change, though. 不过,我不知道这种变化的原因。
解决方案6
1 2016-03-14 20:17:36
It looks like you are running your Nagios server in a virtual machine on a host-only network. 看起来您正在仅限主机的网络上的虚拟机中运行Nagios服务器。 If this is so, this would stop any external access. 如果是这样,这将停止任何外部访问。 Ensure that you have a NAT or Bridged Network available. 确保您具有NAT或桥接网络。
解决方案7
1 2019-05-12 17:38:28
So many answers, none of them hit the reason why I ran into this issue. 如此多的答案,没有一个能够解决我遇到这个问题的原因。
It turns out that nagios has terrible cross-version support and this was caused by me having a version 2 "client" (machine being monitored) and a version 3 "server" (monitoring machine). 事实证明,nagios有可怕的跨版本支持,这是由于我拥有版本2“客户端”(机器被监控)和版本3“服务器”(监控机器)。
Once I upgraded the client to version 3, the problem went away and I could do a check_nrpe -H [client IP] without issues. 一旦我将客户端升级到版本3,问题就消失了,我可以做一个check_nrpe -H [client IP]而没有问题。
Note that I am not sure if client/server are the right terms with nagios, as in the case of an NRPE call, the server is really the machine being called, but I digress. 请注意,我不确定客户端/服务器是否与nagios是正确的术语,因为在NRPE调用的情况下,服务器实际上是被调用的机器,但我离题了。
解决方案8
0 2016-04-15 18:13:49
确保您已重新启动Nagios客户端插件。
解决方案9
0 2016-06-06 19:13:32
I'm running nrpe using the xinetd service. 我正在使用xinetd服务运行nrpe。
Make sure also (in addition to the above basic steps) that your nagios user is authenticating properly. 确保您的nagios用户正确进行身份验证(除上述基本步骤外)。 In my case: 就我而言:
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown user: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute user - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown group: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute group - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Service nrpe missing attribute user - DISABLING
Was showing in the /var/log messages. 显示在/ var / log消息中。
It escaped me at first, but then I did a check on ypbind service and found it was not started. 它最初逃脱了我,但后来我检查了ypbind服务,发现它没有启动。
After starting ypbind, nagios user and group was authenticating properly, the error went away. 启动ypbind后,nagios用户和组正确进行身份验证,错误消失了。
解决方案10
0 2016-07-09 16:19:19
some edge cases restarting nagios-nrpe-server doesn't help, due to the fact that process was not killed or it was not properly restarted. 一些边缘情况重新启动nagios-nrpe-server没有帮助,因为进程没有被杀死或者没有正确重新启动。
just kill it manually then, and start. 然后手动杀死它,然后开始。
解决方案11
0 2016-09-28 03:54:30
SSL handshake error msg.Beside the allow_host you should assign. SSL握手错误信息。除了您应该分配的allow_host。
your nagios server is in a local lan with C type ip address such as 192.168.xxxx 您的nagios服务器位于具有C类型IP地址的本地LAN中,例如192.168.xxxx
when the target monitored server feedback the ssl msg to your local nagios server,the message should first comes to your public IP of your line,the message cannot across the public IP into your nagios server which ip is an internal one. 当目标受监视服务器将ssl msg反馈给您的本地nagios服务器时,该消息应首先到达您的线路的公共IP,该消息不能跨越公共IP进入您的nagios服务器,哪个ip是内部IP。
you need NAT to guide the SSL message from target server to inner nagios server. 您需要NAT来引导SSL消息从目标服务器到内部nagios服务器。
Or you better use "GET" method which just get monitor message from the nagios client side,such as SNMP to fulfill the remote monitor of local resource of linux servers. 或者你最好使用“GET”方法,只需从nagios客户端获取监控消息,如SNMP,即可完成linux服务器本地资源的远程监控。
SSL need feedback in double direction. SSL需要双向反馈。
Best Regards 最好的祝福
解决方案12
0 2017-03-08 06:37:06
For me setting the following in /etc/nagios/nrpe.cfg on Client worked: 对我来说,在客户端的/etc/nagios/nrpe.cfg中设置以下内容:
dont_blame_nrpe=1
It's and ubuntu 16.04 machine. 这是和ubuntu 16.04机器。 For other possible problems, I recommend looking at nrpe logs. 对于其他可能的问题,我建议查看nrpe日志。 Here is good article for configuring logs. 这是配置日志的好文章。
解决方案13
0 2017-06-28 15:26:30
If you are running Debian 9 then there is a known issue regarding this problem, caused by OpenSSL dropping support for the method NRPE uses to initiate anonymous SSL connections. 如果你正在运行Debian 9,那么就会出现一个已知的问题 ,这个问题是由OpenSSL对NRPE用于启动匿名SSL连接的方法的支持。
The issue seems to be fixed but the fix hasn't made it into the official packages, yet. 这个问题似乎已得到解决,但修复程序尚未进入官方软件包。
Currently there seems to be no secure work-around. 目前似乎没有安全的解决方法。
解决方案14
0 2018-10-23 08:39:53
check configuration in /etc/xinetd.d/nrpe and verify the server IP. 检查/etc/xinetd.d/nrpe中的配置并验证服务器IP。 If it is showing only_from = 127.0.0.1 change it with Server IP . 如果显示only_from = 127.0.0.1,则使用服务器IP更改它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.