由nrpe.cfg配置不當引起的CHECK_NRPE: Error -Could not complete SSL handshake

文章出處:由nrpe.cfg配置不當引起的CHECK_NRPE: Error -Could not complete SSL handshake

一般Linux都自帶了openssl和openssl-devel,並且系統iptables也不會阻攔5666端口通訊。我按照網上提供的步驟安裝nrpe,然後作為服務運行,然後運行檢查命令 check_nrpe -H ip,結果發現

CHECK_NRPE: Error –Could not complete SSL handshake

從百度和google搜了下,基本上都是抄襲的一段英文然後自己發揮的,正常情況下

  • Different versions. Make sure you are using the same version of the check_nrpe plugin and the NRPE daemon. Newer versions of NRPE are usually not backward compatible with older versions. ——正常從nagios下載的nagios 3.06stable 和nagios-plugins-1.4.13和nrpe-2.12等式完全匹配的,根本沒有理由去質疑—
  • SSL is disabled. Make sure both the NRPE daemon and the check_nrpe plugin were compiled with SSL support and that neither are being run without SSL support (using command line switches). —-運行./configure –prefix=/usr/local/nrpe 然後其他參數不加,程序會缺省帶SSL編譯,更沒有理由懷疑。—-
  • Incorrect file permissions. Make sure the NRPE config file (nrpe.cfg) is readable by the user (i.e. nagios) that executes the NRPE binary from inetd/xinetd. —-用root賬戶安裝後,運行一下chowm -R nagios.nagios nrpe即可將nrpe目錄及其所有文件的用戶和用戶組變為nagios—-
  • Pseudo-random device files are not readable. Greg Haygood noted the following… “After wringing my hair out and digging around with truss, I figured out the problem on my Solaris 8 boxen. The files /devices/pseudo/random* (linked through /dev/*random, and provided by Sun patch 112438) were not readable by the nagios user I use to launch NRPE. Making the character devices world-readable solved it." —-Solaris直接無視,俺是在Redhat發行版上做的—-
  • Unallowed address. If you’re running the NRPE daemon under xinetd, make sure that you have a line in the xinetd config file that say “only_from = xxx.xxx.xxx.xxx", where xxx.xxx.xxx.xxx is the IP address that you’re connected to the NRPE daemon from. —-並沒有使用Xinetd管理,俺直接就是配置了監聽IP,讓其stand-alone的,nrpe.cfg文檔裡寫的很明白,用Xinetd管理時設定的管理IP時無效的,所以這也不是問題所在。—

我先前看了這個帖子,結果就疑神疑鬼的到處調試,然後發現無解,又去看文檔,發現文檔上也沒有提這個事情。最後無意間想起很多很弱的腳本在模式匹配時在空字符(空格,製表符,回車)的地方容易犯暈,然後我就試了一下。

原來配置nrpe.cfg配置管理IP的時候

# ALLOWED HOST ADDRESSES
# This is an optional comma-delimited list of IP address or hostnames
# that are allowed to talk to the NRPE daemon.
#
# Note: The daemon only does rudimentary checking of the client’s IP
# address. I would highly recommend adding entries in your /etc/hosts.allow
# file to allow only the specified host to connect to the port
# you are running this daemon on.
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

allowed_hosts=127.0.0.1,   172.16.1.11,   172.16.1.8

如圖示,上面在逗號後面添加了空格,然後我把空格去掉改成

allowed_hosts=127.0.0.1,172.16.1.11

然後重啟nrpe服務,再運行./check_nrpe -H IP的時候就OK了。

[root@www libexec]# ./check_nrpe -H 172.16.1.11
NRPE v2.12

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 變更 )

Twitter picture

You are commenting using your Twitter account. Log Out / 變更 )

Facebook照片

You are commenting using your Facebook account. Log Out / 變更 )

Google+ photo

You are commenting using your Google+ account. Log Out / 變更 )

連結到 %s