[BUG] check_nrpe fails, SSL handshake error SOLVED
Michael Tucker
mtucker at airmail.net
Mon Jan 19 19:49:50 CET 2004
On Wednesday, January 7, 2004, at 02:45 PM, Michael Tucker wrote:
> Ethan, to bring you up to speed: there appears to be a bug in
> check_nrpe/nrpe, something to do with its implementation of OpenSSL. I
> apologize for the length of this message; it might be easier for you
> to follow if you go back and follow the thread from the beginning. But
> there's quite a bit of information here. Hopefully some of it will
> prove helpful to you.
>
> Here's the short form of the problem:
>> check_nrpe -> nrpe fails if SSL is enabled, and returns the message:
>>> # ./check_nrpe -H {host to monitor} -c check_load
>>> CHECK_NRPE: Error - Could not complete SSL handshake.
>>
>> If SSL is disabled (recompile with --disable-ssl), it works just fine.
>
> Michael
>
> [lengthy details snipped]
I have SOLVED this problem, at least for my Solaris installation.
It turns out that you need the SSL libraries in your system default
runtime link path. This seems obvious in retrospect, but nobody else
thought of it either, so I don't feel too bad. :-P
In Solaris, you can check (and fix) this with the crle command
("configure runtime linking environment"):
> # crle
This will display the current default library path, and configuration
file (if any). On new installs of Solaris, there's no configuration
file, and the path is just /usr/lib. You'll need to change this to
include /usr/local/lib and /usr/local/ssl/lib:
> # crle -l /usr/lib:/usr/local/lib:/usr/local/ssl/lib
> # crle
>
> Configuration file [3]: /var/ld/ld.config
> Default Library Path (ELF):
> /usr/lib:/usr/local/lib:/usr/local/ssl/lib
> Trusted Directories (ELF): /usr/lib/secure (system default)
>
> Command line:
> crle -c /var/ld/ld.config -l
> /usr/lib:/usr/local/lib:/usr/local/ssl/lib
Without making any other modifications to the nrpe configuration (or to
/etc/inetd.conf or /etc/services, which are already configured to run
nrpe under inetd with tcp wrappers), I made the above change on both
the monitoring server and the monitored host. Then I copied my
already-compiled nrpe and check_nrpe (with SSL enabled) to their
respective runtime directories. Voila! It works. :-)
*doing the happy Snoopy dance* :-)
Yours,
Mcihael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2322 bytes
Desc: not available
URL: <https://www.monitoring-lists.org/archive/users/attachments/20040119/69e50d11/attachment.bin>
More information about the Users
mailing list