Linux CHECK_NRPE:错误 - 无法完成 SSL 握手
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20520334/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CHECK_NRPE: Error - Could not complete SSL handshake
提问by Dushyant Gupta
I have NRPE daemon process running under xinetd on amazon ec2 instance and nagios server on my local machine.
我在亚马逊 ec2 实例上的 xinetd 下运行 NRPE 守护进程,在我的本地机器上运行 nagios 服务器。
The check_nrpe -H [amazon public IP]gives this error:
在check_nrpe -H [amazon public IP]给出了这样的错误:
CHECK_NRPE: Error - Could not complete SSL handshake.
Both Nrpe are same versions. Both are compiled with this option:
两个 Nrpe 都是相同的版本。两者都使用此选项编译:
./configure --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/i386-linux-gnu/
"allowed host" entry contains my local IP address.
“允许的主机”条目包含我的本地 IP 地址。
What could be the possible reason of this error now??
现在这个错误的可能原因是什么?
采纳答案by drewboswell
To check if you have access to it at all attempt a simple telnet on the address:port, a ping or traceroute to see where it is blocking.
要检查您是否完全可以访问它,请尝试在 address:port、ping 或 traceroute 上执行简单的 telnet 以查看它阻塞的位置。
telnet IP port
ping IP
traceroute -p $port IP
Also check on the target server that the nrpe daemon is working properly.
还要检查目标服务器上的 nrpe 守护程序是否正常工作。
netstat -at | grep nrpe
You also need to check the versions of OpenSSL installed on both servers, as I have seen this break checks on occasion with the SSL handshake!
您还需要检查安装在两台服务器上的 OpenSSL 的版本,因为我曾看到过 SSL 握手有时会中断检查!
回答by Michael Guthrie
That's somewhat of a catch-all error message for NRPE. Check your firewall rules and make sure that port is open. Also try disabling SELinux and seeing if that lets the connection through. It's likely not an SSL issue, but just an issue with the connection being refused.
对于 NRPE 来说,这有点像一个包罗万象的错误消息。检查您的防火墙规则并确保端口已打开。还可以尝试禁用 SELinux 并查看是否允许连接通过。这可能不是 SSL 问题,而只是连接被拒绝的问题。
回答by jgritty
If you are running nrpe as a service, make sure you have this line in your nrpe.cfg on the client side:
如果您将 nrpe 作为服务运行,请确保在客户端的 nrpe.cfg 中有这一行:
# example 192. IP, yours will probably differ
allowed_hosts=127.0.0.1,192.168.1.100
You say that is done, however, if you are running nrpe under xinetd, make sure to edit the only_fromdirective in the file /etc/xinetd.d/nrpe.
您说已完成,但是,如果您在 xinetd 下运行 nrpe,请确保编辑only_from文件中的指令/etc/xinetd.d/nrpe。
Don't forget to restart the xinetd service:
不要忘记重启 xinetd 服务:
service xinetd restart
回答by ?zgür
check your /var/sys/system.log. In my case, it turned out my monitored IP was set to something else than the one I set in nrpe.cfg file. I don't know the cause of this change, though.
检查您的/var/sys/system.log. 就我而言,事实证明我监控的 IP 设置的不是我在 nrpe.cfg 文件中设置的 IP。不过,我不知道这种变化的原因。
回答by NOZUONOHIGH
@jgritty was right.
you should edit nrpe.cfgand nrpeconfig files to allow your master nagios server's access:
@jgritty 是对的。您应该编辑nrpe.cfg和nrpe配置文件以允许您的主 nagios 服务器访问:
vim /usr/local/nagios/etc/nrpe.cf
allowed_hosts=127.0.0.1,172.16.16.150
and
和
vim /etc/xinetd.d/nrpe
only_from= 127.0.0.1 172.16.16.150
回答by em110905
It looks like you are running your Nagios server in a virtual machine on a host-only network. If this is so, this would stop any external access. Ensure that you have a NAT or Bridged Network available.
看起来您正在仅主机网络上的虚拟机中运行 Nagios 服务器。如果是这样,这将停止任何外部访问。确保您有可用的 NAT 或桥接网络。
回答by user2315218
Make sure that you have restarted the Nagios Client Plugin as well.
确保您也重新启动了 Nagios 客户端插件。
回答by Gene Brotherton
I'm running nrpe using the xinetd service.
我正在使用 xinetd 服务运行 nrpe。
Make sure also (in addition to the above basic steps) that your nagios user is authenticating properly. In my case:
还要确保(除了上述基本步骤之外)您的 nagios 用户正在正确进行身份验证。就我而言:
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown user: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute user - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=9]
Jun 6 15:05:52 gse2 xinetd[33237]: **Unknown group: nagios**<br>[file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Error parsing attribute group - DISABLING
SERVICE [file=/etc/xinetd.d/nrpe] [line=10]
Jun 6 15:05:52 gse2 xinetd[33237]: Service nrpe missing attribute user - DISABLING
Was showing in the /var/log messages.
It escaped me at first, but then I did a check on ypbind service and found it was not started.
After starting ypbind, nagios user and group was authenticating properly, the error went away.
显示在 /var/log 消息中。
起初它让我逃脱了,但后来我检查了 ypbind 服务,发现它没有启动。
启动 ypbind 后,nagios 用户和组正确验证,错误消失了。
回答by SielaQ
some edge cases restarting nagios-nrpe-serverdoesn't help, due to the fact that process was not killed or it was not properly restarted.
nagios-nrpe-server由于进程未终止或未正确重新启动,因此某些边缘情况重新启动无济于事。
just kill it manually then, and start.
只需手动杀死它,然后开始。
回答by Ricky
SSL handshake error msg.Beside the allow_host you should assign.
SSL 握手错误 msg.Beside the allow_host 您应该分配。
your nagios server is in a local lan with C type ip address such as 192.168.xxxx
您的 nagios 服务器位于本地局域网中,具有 C 类型的 ip 地址,例如 192.168.xxxx
when the target monitored server feedback the ssl msg to your local nagios server,the message should first comes to your public IP of your line,the message cannot across the public IP into your nagios server which ip is an internal one.
当目标监控服务器将 ssl msg 反馈到您本地的 nagios 服务器时,该消息应该首先到达您线路的公共 IP,该消息不能通过公共 IP 进入您的 nagios 服务器,该 ip 是内部 IP。
you need NAT to guide the SSL message from target server to inner nagios server.
您需要 NAT 将 SSL 消息从目标服务器引导到内部 nagios 服务器。
Or you better use "GET" method which just get monitor message from the nagios client side,such as SNMP to fulfill the remote monitor of local resource of linux servers.
或者你最好使用“GET”方法,它只是从nagios客户端获取监控消息,例如SNMP来实现对linux服务器本地资源的远程监控。
SSL need feedback in double direction.
SSL 需要双向反馈。
Best Regards
此致
