Back to OP5 Monitor FAQ

How to solve the problem "CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with <IP>"

The problem Copied

When using check_nrpe version 4.0.3 (or later) you are required to have a 2048 bit Diffie-Hellman key on the target host. NSClient++ (as of the current version 0.5.2.35) only provides a 512 bit key.

Solution Copied

To solve this, generate a new key and use it instead of the pre-generated key.

Generate the new key Copied

On your OP5 Monitor server, run the following command to generate the key:

## openssl dhparam -C 2048 2> /dev/null|sed -n '/BEGIN/,/END/p'

This may take several minutes. When it is done, it will produce a key looking similar to this one:

-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA9ScyVoVj7FaW/0+V1hrbiZhIEHJL+XgDDKhgMKMT9rtaEGSHfagr
TaqQqCIh54mQhbM73Jd9HaFGoKzgHcWvzJDA4tjErYF/4ZJIPrYs3USqYqFCq/Xf
F63DlgDSAFNIzjUum7KQ5l+yxy7eVgqJC+tR9CFvLpte0PPIwm7QU+Em49OaImqr
/+9Pf1N0u9/vaNlME5rLfqt/YROB+nw+hvTMwOw3v9gBlQfV0F4VMRAq1Lgk4+x5
Vw/2EkD/+CVwCtrfwp/WyTyOsHi+lktdRmnePx1PrTnPz1/JvUSF2nFul+Zy6ySQ
qHKaKq1rw2K1Q7urw2Dsm7uhv/beHcuZCwIBAg==
-----END DH PARAMETERS-----

Install the new key on your host Copied

You need to copy the text displayed when generating the key and paste it to a new file on your host. This file should be named C:\Program Files\NSClient++\security\nrpe_dh_2048.pem. Adjust the path if your NSClient++ installation is located somewhere else on the disk.

Enable the new key Copied

Open the command line on your host and run the following command from the directory of your NSClient++ installation:

.\nscp.exe settings --path /settings/NRPE/server --key dh --set "C:\Program Files\NSClient++\security\nrpe_dh_2048.pem"

Restart NSClient++ Copied

Stop and start the client:

net stop nscp
net start nscp

Test the new key Copied

Run the following on your OP5 Monitor server to verify that it is now working:

## /opt/plugins/check_nrpe -H <IP>

(Replace with the actual address of your host.)

Additional steps Copied

If you get the error “CHECK_NRPE: Invalid packet version received from server.”, then you will need to add the option -2 to your check_command.

["Geneos"] ["FAQ"]

Was this topic helpful?