FS#53850 - [nrpe] "Error: Could not complete SSL handshake with 127.0.0.1: 1" since OpenSSL 1.1
Attached to Project:
Community Packages
Opened by Moritz Bunkus (mbunkus) - Thursday, 27 April 2017, 10:43 GMT
Last edited by Jonathan Steel (jsteel) - Tuesday, 09 May 2017, 10:58 GMT
Opened by Moritz Bunkus (mbunkus) - Thursday, 27 April 2017, 10:43 GMT
Last edited by Jonathan Steel (jsteel) - Tuesday, 09 May 2017, 10:58 GMT
|
Details
Description:
Since doing a full system upgrade and a subsequent reboot yesterday, all connections from check_nrpe to the nrpe daemon fail with the error message mentioned in the subject. This happens with a configuration file that used to work until right before the upgrade. This also happens with the default configuration file as provided by the nrpe package. This happens with check_nrpe running on a different machine (CentOS with Nagios installed), and it happens with check_nrpe running on localhost (meaning the binary from the same package the nrpe daemon comes from). The only way to get it working again is to run both the nrpe daemon and the check_nrpe client with the "-n" option in order to disable SSL. I'm fully aware that the most common cause of the "could not complete SSL handshake" message is "allowed_hosts" being wrong. This is not the case for me: the configuration used to work before the update and fails afterwards, and the default configuration allows 127.0.0.1 and even connection from there doesn't work. Re-compiling the nrpe 3.1.0-1 package on my system didn't change anything. Additional info: * package versions: nrpe 3.1.0-1, openssl 1.1.0.e-1 * config files: use the standard nrpe.cfg file from the nrpe package * journal from such a communication: Apr 27 12:39:52 sweet-chili nrpe[7704]: add_ipv4_to_acl: Error, ip-address >::1< incorrect length Apr 27 12:39:52 sweet-chili nrpe[7704]: Starting up daemon Apr 27 12:39:52 sweet-chili nrpe[7704]: Server listening on 0.0.0.0 port 5666. Apr 27 12:39:52 sweet-chili nrpe[7704]: Server listening on :: port 5666. Apr 27 12:39:52 sweet-chili nrpe[7704]: Listening for connections on port 5666 Apr 27 12:39:52 sweet-chili nrpe[7704]: Allowing connections from: 127.0.0.1,::1 Apr 27 12:39:55 sweet-chili nrpe[7795]: Error: Could not complete SSL handshake with 127.0.0.1: 1 Apr 27 12:39:55 sweet-chili check_nrpe[7793]: Error: Could not complete SSL handshake with 127.0.0.1: rc=-1 SSL-error=1 Steps to reproduce: * purge any traces of an existing installation of nrpe * make sure system is up to date and has openssl 1.1.0.e-1 or later installed * install nrpe * leave configuration at its default * start the nrpe daemon, either manually or via systemd * run "/usr/lib/monitoring-clients/check_nrpe -H 127.0.0.1 -c check_users" * observe the error from both check_nrpe (in the terminal) and the nrpe daemon (in the journal) |
This task depends upon
Same behaviour if you install the package „openssl-1.0“ additional?
I cannot test removing openssl-1.0 as that would remove quite a lot of other important packages from my two production servers.