In the realm of monitoring systems, Nagios stands out for its robustness and versatility. However, when setting up or maintaining a Nagios configuration, particularly with remote server monitoring through the Nagios Remote Plugin Executor (NRPE), administrators might encounter the vexing error: “CHECK_NRPE: Error – Could not complete SSL handshake.” This error can halt monitoring processes, but fortunately, it’s a solvable problem with the right approach.
Understanding the Error
The “CHECK_NRPE: Error – Could not complete SSL handshake” message typically occurs during the attempt to establish a secure connection between the Nagios server and a remote host using NRPE. This SSL handshake failure is often due to configuration mismatches or restrictions that prevent successful communication.
Step-by-Step Solution
The resolution centers around ensuring that the NRPE configuration on the remote server permits connections from the Nagios monitoring server. Here’s how to tackle the issue methodically:
Step 1: Verify NRPE Configuration on the Remote Server
The first step is to check the NRPE configuration file on the remote server. This file, usually located at /etc/nagios/nrpe.cfg, contains the settings that dictate how NRPE operates, including which hosts are allowed to connect.
- Open the NRPE configuration file with your preferred text editor.
- Look for the allowed_hosts directive. This line specifies which IP addresses are permitted to communicate with the NRPE service.
Step 2: Update Allowed Hosts
If the Nagios server’s IP address is not listed under allowed_hosts, NRPE will refuse the connection, leading to the SSL handshake error. To fix this:
- Add the IP address of your Nagios server to the allowed_hosts line. If you’re monitoring multiple Nagios servers, separate each IP address with commas. You can also specify entire subnets using CIDR notation, like 192.168.10.0/24, to allow a range of addresses.
- The updated line might look something like this:
allowed_hosts=127.0.0.1,192.168.10.3,192.168.10.4
Step 3: Restart the NRPE Service
After updating the NRPE configuration, you must restart the NRPE service for the changes to take effect. This can typically be done with a command like:
sudo service nrpe restart
or for systems using systemd:
sudo systemctl restart nrpe.service
Step 4: Confirm the Configuration
The final step is to test the connection again from your Nagios server using the check_nrpe command:
/usr/lib64/nagios/plugins/check_nrpe -H remote_host_ip
If the configuration is correct, the SSL handshake error should no longer occur, and you’ll receive a proper response from the NRPE plugin on the remote server.
Conclusion
Encountering a “CHECK_NRPE: Error – Could not complete SSL handshake” error can be a stumbling block in monitoring setups, but with a careful approach to configuration and permissions, it can be swiftly resolved. The key lies in ensuring the NRPE service on remote servers is configured to allow connections from your Nagios server, thereby facilitating smooth and secure communications. By following the steps outlined above, system administrators can quickly overcome this hurdle and maintain robust monitoring across their networked environments.